Splunk Enterprise System Administration Quiz Questions and Answers

Which valid bucket types are searchable? (Select all that apply.)

Answer :
  • Warm buckets
  • Hot buckets
  • Cold buckets

What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Answer :
  • CPUs

True/False: $SPLUNK_HOME/etc/users/authentication.conf

Answer :
  • FALSE

How do you remove missing forwarders from the Monitoring Console?

Answer :
  • By rebuilding the forwarder asset table

Which of the following are methods for adding inputs in Splunk? (Select all that apply)

Answer :
  • Editing inpits.conf
  • Splunk Web
  • CLI

Which setting in indexes.conf allows data retention to be controlled by time?

Answer :
  • frozenTimePeriodInSecs

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

Answer :
  • Blacklist

In which Splunk configuration is the SEDCMD used?

Answer :
  • props.conf

Which parent directory contains the configuration files in Splunk?

Answer :
  • $SPLUNK_HOME/etc

In which phase of the index time process does the license metering occur?

Answer :
  • Indexing phase