Splunk splk-3003 practice test

A customer’s deployment server is overwhelmed with forwarder connections after adding an
additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number
of connection failures to the DS what is recommended?

• A. Create a tiered deployment server topology.
• B. Reduce the phone home interval to 6 seconds.
• C. Leave the phone home interval at 60 seconds.
• D. Increase the phone home interval to 600 seconds.

Which of the following server.conf stanzas indicates the Indexer Discovery feature has not been fully
configured (restart pending) on the Master Node?

• A. Option A
• B. Option B
• C. Option C
• D. Option D

What is the Splunk PS recommendation when using the deployment server and building deployment
apps?

• A. Carefully design smaller apps with specific configuration that can be reused.
• B. Only deploy Splunk PS base configurations via the deployment server.
• C. Use $SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server.
• D. Carefully design bigger apps containing multiple configs.

Which of the following processor occur in the indexing pipeline?

• A. tcp out, syslog out
• B. Regex replacement, annotator
• C. Aggregator
• D. UTF-8, linebreaker, header

Which configuration item should be set to false to significantly improve data ingestion performance?

• A. AUTO_KV_JSON
• B. BREAK_ONLY_BEFORE_DATE
• C. SHOULD_LINEMERGE
• D. ANNOTATE_PUNCT

A customer has a new set of hardware to replace their aging indexers. What method would reduce
the amount of bucket replication operations during the migration process?

• A. Disable the indexing ports on the old indexers.
• B. Disable replication ports on the old indexers.
• C. Put the old indexers into manual detention.
• D. Put the old indexers into automatic detention.

When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios
occurs?

• A. All replicated copies will be rolled to frozen; original copies will remain.
• B. Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.
• C. The bucket rolls to frozen on all clustered indexers simultaneously.
• D. Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

A site from a multi-site indexer cluster needs to be decommissioned. Which of the following actions
must be taken?

• A. Nothing. Decommissioning a site is not possible.
• B. Create an alias for where the new data should be sent.
• C. Remove the site from the list of available sites.
• D. Remove the site from the list of available sites and create an alias for where the new data should be sent.

A customer wants to implement LDAP because managing local Splunk users is becoming too much of
an overhead. What configuration details are needed from the customer to implement LDAP
authentication?

• A. API: Python script with PAM/RADIUS details.
• B. LDAP server: port, bind user credentials, path/to/groups, path/to/user.
• C. LDAP server: port, bind user credentials, base DN for groups, base DN for users.
• D. LDAP REST details, base DN for groups, base DN for users.

A customer has a search cluster (SHC) of six members split evenly between two data centers (DC).
The customer is concerned with network connectivity between the two DCs due to frequent outages.
Which of the following is true as it relates to SHC resiliency when a network outage occurs between
the two DCs?

• A. The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
• B. The SHC will stop all scheduled search activity within the SHC.
• C. The SHC will function as expected as the minimum required number of nodes for a SHC is 3.
• D. The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.