SPLK-3003 Online Practice Questions and Answers

A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in dayto-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this.

Which resource would help the customer gather the requirements for their new architecture?

A. Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.

B. Ask the customer to engage with the sales team immediately as they probably need a larger license.

C. Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.

D. Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week's worth of data and are quite sensitive to search performance.

Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

A. frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets

B. maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB

C. maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB

D. frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

Which of the following statements applies to indexer discovery?

A. The Cluster Master (CM) can automatically discover new indexers added to the cluster.

B. Forwarders can automatically discover new indexers added to the cluster.

C. Deployment servers can automatically configure new indexers added to the cluster.

D. Search heads can automatically discover new indexers added to the cluster.

What does Splunk do when it indexes events?

A. Extracts the top 10 fields.

B. Extracts metadata fields such as host, source, sourcetype.

C. Performs parsing, merging, and typing processes on universal forwarders.

D. Create report acceleration summaries.

Report acceleration has been enabled for a specific use case. In which bucket location is the corresponding CSV file located?

A. thawedPath

B. summaryHomePath

C. tstatsHomePath

D. homePath, coldPath

A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations.

Which of the following would be the least expensive and easiest way to improve search performance?

A. Configure site_search_factor to ensure a searchable copy exists in the local site for each search head.

B. Move all indexers and search heads in one of the data centers into the same site.

C. Install a network pipe with more bandwidth between the two data centers.

D. Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

When utilizing a subsearch within a Splunk SPL search query, which of the following statements is accurate?

A. Subsearches have to be initiated with the | subsearch command.

B. Subsearches can only be utilized with | inputlookup command.

C. Subsearches have a default result output limit of 10000.

D. There are no specific limitations when using subsearches.

Which of the following server roles should be configured for a host which indexes its internal logs locally?

A. Cluster master

B. Indexer

C. Monitoring Console (MC)

D. Search head

What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk space?

A. A warm standby CM needs to be brought online as soon as possible before an indexer has an outage.

B. The indexer cluster will continue to operate as long as no indexers fail.

C. If the indexer cluster has site failover configured in the CM, the second cluster master will take over.

D. The indexer cluster will continue to operate as long as a replacement CM is deployed within 24 hours.

Which statement is correct?

A. In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.

B. As a streaming command, streamstats performs better than stats since stats is just a reporting command.

C. When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.

D. Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.