Splunk Infrastructure Overview 6.4 (eLearning) – Flashcards
Unlock all answers in this set
Unlock answersquestion
What are the 3 main processing components of Splunk?
answer
Forwarders Indexers Search Heads
question
Raw data in an index is stored in a ________ form.
answer
compressed
question
Forwarders are typically installed on _____________.
answer
Machines where the data originates
question
The ___________ handle search management while ___________ perform the searches.
answer
1. search heads 2. indexers
question
A group of indexers configured to replicate each other's data is called a ________.
answer
Index Cluster
question
__________ is often the biggest bottle neck in the Splunk indexing pipeline.
answer
Disk I/O
question
Search heads do not require as much ______ as indexers but require more _________.
answer
1. disk space 2. CPU power
question
Adding more machines no matter the hardware will make your deployment perform better.
answer
False
question
Splunk indexers and Search Heads on virtual machines should have ____ of the vCPU reserved to them.
answer
100%
question
Keeping ____ synchronized across your deployment, makes sure events are returned in the proper order.
answer
time
question
What command is used to start the Splunk Enterprise server?
answer
./splunk start
question
This command can be used to make Splunk start each time the server is booted.
answer
./splunk enable boot-start
question
When logging into Splunk Enterprise for the first time, a username of ______ and a password of are used.
answer
1. admin 2. changeme
question
The _______ folder inside the Splunk Enterprise installation directory contains licenses and configuration files.
answer
etc
question
Splunk Enterprise commands are executed from the ________ directory.
answer
bin
question
The following are Splunk Enterprise processing tiers.
answer
Data input Indexing Search Management
question
Event separation happens during the ________ segment of the data pipeline.
answer
parsing
question
Events are written to disk during the _______ segment of the data pipeline.
answer
Indexing
question
The functions of the data pipeline vary drastically depending on the deployment.
answer
False
question
Splunk Enterprise licenses specify how much data you can index per __________.
answer
day
question
Any editing done to .conf files should be done in the ________ directory.
answer
local
question
The ________ index is used when an index is not specified at input time.
answer
main
question
Having multiple indexes allows:
answer
Faster searches Access limiting Multiple retention policies
question
As data is input into Splunk Enterprise, it is first placed into a ________ bucket.
answer
hot
question
Some differences between hot and warm buckets are:
answer
Hot buckets are writable, warm buckets are not. Hot buckets are searched first. The naming convention.
question
When a bucket is frozen, by default it is moved to a different location before deleting.
answer
False
question
The timezone setting in a user's account will effect the timestamp shown in events.
answer
True
question
_______________ define what users can do in Splunk.
answer
Roles
question
Only the ________ role can use the Delete Command by default.
answer
can_delete
question
The ______ role has the most capabilities of the predefined splunk roles.
answer
admin
question
When mixing authentication sources, scripted authentication will always take precedence.
answer
False
question
In most production environments, _______ will be used as your main source of data input.
answer
forwarders
question
Splunk uses ____________ to categorize the type of data being indexed.
answer
sourcetypes
question
The server that data is forwarded to is called the ______________.
answer
receiver
question
Indexing on a Heavy Forwarder does not affect your license.
answer
False
question
The following can be used to build apps for Splunk:
answer
Simple XML Splunk JavaScript SDKs
question
When migrating from a single instance deployment to a distributed environment, you will want to use the existing instance as an _______.
answer
indexer
question
An indexer in a distributed search environment is called a __________.
answer
search peer
question
It is a best practice to ____________ forwarders across all indexers in a search peer group.
answer
load balance
question
The management port is required when adding a search peer to a search head.
answer
True
question
DMC stands for
answer
Distributed Management Console
question
In most Splunk deployments, _________ serve as the primary way data is supplied for indexing.
answer
forwarders
question
Search strings are sent from the
answer
Search head
question
Forwarders are typically installed on __________
answer
Machines where the data originates
question
A server acting as a ___________ require the same hardware as a single deployment server.
answer
Indexer
question
Splunk Enterprise can be installed virtual environments.
answer
True
question
In a windows environment, a local system user will have access to:
answer
all data on the local system
question
Search requests are processed by the ____________.
answer
Indexer
question
____________ is the system process that handles indexing, searching, forwarding and the web interface for Splunk Enterprise.
answer
Splunkd
question
Splunk Enterprise should always be run as root in a *NIX environment.
answer
False
question
It is suggested that you have a single deployment instance available for _________.
answer
testing and development
question
A total of ____ cores are recommended per search head.
answer
16
question
Forwarders should never be installed on Windows servers.
answer
False
question
SplunkWeb is accessed on port _______ by default.
answer
8000
question
Properties in the _______ file allow you to configure how data is transformed as it is processed.
answer
not later
question
The segment of the data pipeline that stores user's knowledge objects is the __________ segment.
answer
not indexing not data ainput not parsing
question
This component is NOT installed from the Splunk Enterprise Package.
answer
Universal Forwarder
question
Splunk Enterprise deployment typically has ___ processing tiers.
answer
3
question
The segment of the data pipeline that stores user's knowledge objects is the _______ segment.
answer
not parsing not data input
question
The licensing meter takes placed at data ______ time.
answer
indexing
question
Any editing done to .conf files should be done in the _____ directory.
answer
local
question
The default management port for Splunkd is:
answer
8089
question
Search Heads require more _____ than indexers.
answer
CPU Power
question
What are some of the components installed from the Splunk Enterprise Package?
answer
not indexer search head universal forwarder
question
The .conf files can only be edited using the Splunk web interface.
answer
False
question
Splunk uses the ________ index when indexing it's own logs and metrics.
answer
_internal
question
Event separation happens during the __________ segment of the data pipeline.
answer
parsing
question
Events are written to disk during the ____ segment of the data pipeline.
answer
indexing
question
A license violation causes all data to stop being indexed.
answer
False
question
The functions of the data pipeline vary drastically depending on the deployment.
answer
False
question
properties in the _______ file allow you to configure how data is transformed as it is processed.
answer
not alter.conf
question
Parsing and Indexing are both part of the ____ processing tier.
answer
Indexing