Free Splunk Core Certified Consultant Exam SPLK-3003 Exam Practice Test

A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?

• Enter the license master configuration via Splunk web on each indexer before disabling Splunk web.
• Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle.
• Update the Splunk PS base config license app and copy to each indexer.
• Update the Splunk PS base config license app and deploy via the cluster master.

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

• None. Splunk default configurations will process the events as needed; the UF is not causing truncation.
• Configure the best practice magic 6 or great 8 props.conf settings.
• EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.
• Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested?

• Merging pipeline
• Indexing pipeline
• Typing pipeline
• Parsing pipeline

In a large cloud customer environment with many (>100) dynamically created endpoint systems, each with a UF already deployed, what is the best approach for associating these systems with an appropriate serverclass on the deployment server?

• Work with the cloud orchestration team to create a common host-naming convention for these systems so a simple pattern can be used in the serverclass.conf whitelist attribute.
• Create a CSV lookup file for each severclass, manually keep track of the endpoints within this CSV file, and leverage the whitelist.from_pathname attribute in serverclass.conf.
• Work with the cloud orchestration team to dynamically insert an appropriate clientName setting into each endpoint's local/deploymentclient.conf which can be matched by whitelist in serverclass.conf.
• Using an installation bootstrap script run a CLI command to assign a clientName setting and permit serverclass.conf whitelist simplification.

A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles -- security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network indexunder the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.If a new user is created and assigned to the operations role only, which indexes will the user have access to search?

• operations, network, _internal, _audit
• operations
• No Indexes
• operations, network

A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer?

• The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer's environment.
• While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
• Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
• Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

• Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design.
• Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision.
• Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design.
• Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.

When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs?

• The new search head connects to the captain and replays any recent configuration changes to bring it up to date.
• The new search head connects to the deployer and replays any recent configuration changes to bring it up to date.
• The new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date.
• The new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date.

As a best practice which of the following should be used to ingest data on clustered indexers?

• Monitoring (via a process), collecting data (modular inputs) from remote systems/applications
• Modular inputs, HTTP Event Collector (HEC), inputs.conf monitor stanza
• Actively listening on ports, monitoring (via a process), collecting data from remote systems/applications
• splunktcp, splunktcp-ssl, HTTP Event Collector (HEC)

Which of the following statements is true, as it pertains to search head clustering (SHC)?

• SHC is supported on AIX, Linux, and Windows operating systems.
• Maximum number of nodes for a SHC is 10.
• SHC members must run on the same hardware specifications.
• Minimum number of nodes for a SHC is 5.