Splunk Enterprise Data Administration Quiz Questions and Answers

What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Answer :
  • CPUs

How do you remove missing forwarders from the Monitoring Console?

Answer :
  • By rebuilding the forwarder asset table

Which of the following are methods for adding inputs in Splunk? (Select all that apply)

Answer :
  • Editing inpits.conf
  • Splunk Web
  • CLI

Which setting in indexes.conf allows data retention to be controlled by time?

Answer :
  • frozenTimePeriodInSecs

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

Answer :
  • Blacklist

In which Splunk configuration is the SEDCMD used?

Answer :
  • props.conf

User role inheritance allows what to be inherited from the parent role? (Select all that apply.)

Answer :
  • Capabilities

For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?

Answer :
  • FALSE

Where are license files stored?

Answer :
  • $SPLUNK_HOME/etc/licenses

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

Answer :
  • To ensure that data has not been tampered with for auditing and/or legal purposes.