Splunk Enterprise System Administration Quiz Questions and Answers

What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Answer :
  • CPUs

How do you remove missing forwarders from the Monitoring Console?

Answer :
  • By rebuilding the forwarder asset table

Which of the following are methods for adding inputs in Splunk? (Select all that apply)

Answer :
  • Editing inpits.conf
  • Splunk Web
  • CLI

Which setting in indexes.conf allows data retention to be controlled by time?

Answer :
  • frozenTimePeriodInSecs

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

Answer :
  • Blacklist

In which Splunk configuration is the SEDCMD used?

Answer :
  • props.conf

Which parent directory contains the configuration files in Splunk?

Answer :
  • $SPLUNK_HOME/etc

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

Answer :
  • Indexers

In which phase of the index time process does the license metering occur?

Answer :
  • Indexing phase

User role inheritance allows what to be inherited from the parent role? (Select all that apply.)

Answer :
  • Capabilities