Splunk splk-3001 practice test

What should be used to map a non-standard field name to a CIM field name?

• A. Field alias.
• B. Search time extraction.
• C. Tag.
• D. Eventtype.

A customer site is experiencing poor performance. The UI response time is high and searches take a
very long time to run. Some operations time out and there are errors in the scheduler logs, indicating
too many concurrent searches are being started. 6 total correlation searches are scheduled and they
have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

• A. Change the search heads to do local indexing of summary searches.
• B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
• C. Increase memory and CPUs on the search head(s) and add additional indexers.
• D. If indexed realtime search is enabled, disable it for the notable index.

Following the installation of ES, an admin configured users with the ess_user role the ability to close
notable events.
How would the admin restrict these users from being able to change the status of Resolved notable
events to Closed?

• A. In Enterprise Security, give the ess_user role the Own Notable Events permission.
• B. From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
• C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
• D. From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.

What can be exported from ES using the Content Management page?

• A. Only correlation searches, managed lookups, and glass tables.
• B. Only correlation searches.
• C. Any content type listed in the Content Management page.
• D. Only correlation searches, glass tables, and workbench panels.

Accelerated data requires approximately how many times the daily data volume of additional storage
space per year?

• A. 3.4
• B. 5.7
• C. 1.0
• D. 2.5

When installing Enterprise Security, what should be done after installing the add-ons necessary for
normalizing data?

• A. Configure the add-ons according to their README or documentation.
• B. Disable the add-ons until they are ready to be used, then enable the add-ons.
• C. Nothing, there are no additional steps for add-ons.
• D. Configure the add-ons via the Content Management dashboard.

How is it possible to specify an alternate location for accelerated storage?

• A. Configure storage optimization settings for the index.
• B. Update the Home Path setting in indexes, conf
• C. Use the tstatsHomePath setting in props, conf
• D. Use the tstatsHomePath Setting in indexes, conf

A security manager has been working with the executive team en long-range security goals. A
primary goal for the team Is to Improve managing user risk in the organization. Which of the
following ES features can help identify users accessing inappropriate web sites?

• A. Configuring the identities lookup with user details to enrich notable event Information for forensic analysis.
• B. Make sure the Authentication data model contains up-to-date events and is properly accelerated.
• C. Configuring user and website watchlists so the User Activity dashboard will highlight unwanted user actions.
• D. Use the Access Anomalies dashboard to identify unusual protocols being used to access corporate sites.

Which of the following is part of tuning correlation searches for a new ES installation?

• A. Configuring correlation notable event index.
• B. Configuring correlation permissions.
• C. Configuring correlation adaptive responses.
• D. Configuring correlation result storage.

What do threat gen searches produce?

• A. Threat Intel in KV Store collections.
• B. Threat correlation searches.
• C. Threat notables in the notable index.
• D. Events in the threat_activity index.

Which of the following steps will make the Threat Activity dashboard the default landing page in ES?

• A. From the Edit Navigation page, drag and drop the Threat Activity view to the top of the page.
• B. From the Preferences menu for the user, select Enterprise Security as the default application.
• C. From the Edit Navigation page, click the 'Set this as the default view" checkmark for Threat Activity.
• D. Edit the Threat Activity view settings and checkmark the Default View option.

What is an example of an ES asset?

• A. MAC address
• B. User name
• C. Server
• D. People

After managing source types and extracting fields, which key step comes next In the Add-On Builder?

• A. Validate and package
• B. Configure data collection.
• C. Create alert actions.
• D. Map to data models.

The option to create a Short ID for a notable event is located where?

• A. The Additional Fields.
• B. The Event Details.
• C. The Contributing Events.
• D. The Description.

Which feature contains scenarios that are useful during ES Implementation?

• A. Use Case Library
• B. Correlation Searches
• C. Predictive Analytics
• D. Adaptive Responses