Splunk splk-3001 practice test

Which setting is used in indexes.conf to specify alternate locations for accelerated storage?

• A. thawedPath
• B. tstatsHomePath
• C. summaryHomePath
• D. warmToColdScript

Which of the following is a way to test for a property normalized data model?

• A. Use Audit -> Normalization Audit and check the Errors panel.
• B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
• C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
• D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Which argument to the | tstats command restricts the search to summarized data only?

• A. summaries=t
• B. summaries=all
• C. summariesonly=t
• D. summariesonly=all

When investigating, what is the best way to store a newly-found IOC?

• A. Paste it into Notepad.
• B. Click the “Add IOC” button.
• C. Click the “Add Artifact” button.
• D. Add it in a text note to the investigation.

How is it possible to navigate to the list of currently-enabled ES correlation searches?

• A. Configure -> Correlation Searches -> Select Status “Enabled”
• B. Settings -> Searches, Reports, and Alerts -> Filter by Name of “Correlation”
• C. Configure -> Content Management -> Select Type “Correlation” and Status “Enabled”
• D. Settings -> Searches, Reports, and Alerts -> Select App of “SplunkEnterpriseSecuritySuite” and filter by “- Rule”

Which of the following is a risk of using the Auto Deployment feature of Distributed Configuration
Management to distribute indexes.conf?

• A. Indexes might crash.
• B. Indexes might be processing.
• C. Indexes might not be reachable.
• D. Indexes have different settings.

Which of the following are data models used by ES? (Choose all that apply)

• A. Web
• B. Anomalies
• C. Authentication
• D. Network Traffic

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the
indexers?

• A. When adding apps to the deployment server.
• B. Splunk_TA_ForIndexers.spl is installed first.
• C. After installing ES on the search head(s) and running the distributed configuration management tool.
• D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Which correlation search feature is used to throttle the creation of notable events?

• A. Schedule priority.
• B. Window interval.
• C. Window duration.
• D. Schedule windows.

Both “Recommended Actions” and “Adaptive Response Actions” use adaptive response. How do
they differ?

• A. Recommended Actions show a textual description to an analyst, Adaptive Response Actions show them encoded.
• B. Recommended Actions show a list of Adaptive Responses to an analyst, Adaptive Response Actions run them automatically.
• C. Recommended Actions show a list of Adaptive Responses that have already been run, Adaptive Response Actions run them automatically.
• D. Recommended Actions show a list of Adaptive Resposes to an analyst, Adaptive Response Actions run manually with analyst intervention.