SPLK-3003 Splunk Core Certified Consultant Questions and Answers

The new search head connects to the captain and replays any recent configuration changes to bring it up to date.

The new search head connects to the deployer and replays any recent configuration changes to bring it up to date.

The new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date.

The new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date.

In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.

As a streaming command, streamstats performs better than stats since stats is just a reporting command.

When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.

Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.

tcp out, syslog out

Regex replacement, annotator

Aggregator

UTF-8, linebreaker, header

Option A

Option B

Option C

Option D

The internal Splunk authentication will take precedence.

Authentication will only succeed if the password is the same in both systems.

The LDAP user account will take precedence.

Splunk will error as it does not support overlapping usernames

The MC uses a REST endpoint to query the server.

Roles are manually assigned within the MC.

Roles are read from distsearch.conf.

The MC assigns all possible roles by default.

API: Python script with PAM/RADIUS details.

LDAP server: port, bind user credentials, path/to/groups, path/to/user.

LDAP server: port, bind user credentials, base DN for groups, base DN for users.

LDAP REST details, base DN for groups, base DN for users.

Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.

Ask the customer to engage with the sales team immediately as they probably need a larger license.

Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.

Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.

To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.

To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.

To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.

To search the firewall index for web logs that have been denied and are of high severity.