Notes: Hi all, Splunk Core Certified Consultant SPLK-3003 Practice Exam Part 2 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take Splunk Core Certified Consultant SPLK-3003 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.

16. A customer has a new set of hardware to replace their aging indexers. What method would reduce the amount of bucket replication operations during the migration process?

A. Disable the indexing ports on the old indexers.
B. Disable replication ports on the old indexers.
C. Put the old indexers into manual detention.
D. Put the old indexers into automatic detention.

17. When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?

A. All replicated copies will be rolled to frozen; original copies will remain.
B. Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.
C. The bucket rolls to frozen on all clustered indexers simultaneously.
D. Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

18. A site from a multi-site indexer cluster needs to be decommissioned. Which of the following actions must be taken?

A. Nothing. Decommissioning a site is not possible.
B. Create an alias for where the new data should be sent.
C. Remove the site from the list of available sites.
D. Remove the site from the list of available sites and create an alias for where the new data should be sent.

19. A customer wants to implement LDAP because managing local Splunk users is becoming too much of an overhead. What configuration details are needed from the customer to implement LDAP authentication?

A. API: Python script with PAM/RADIUS details.
B. LDAP server: port, bind user credentials, path/to/groups, path/to/user.
C. LDAP server: port, bind user credentials, base DN for groups, base DN for users.
D. LDAP REST details, base DN for groups, base DN for users.

20. A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages. Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?

A. The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
B. The SHC will stop all scheduled search activity within the SHC.
C. The SHC will function as expected as the minimum required number of nodes for a SHC is 3. D. The SHC will function as expected as the SHC captain will fall back to the previous active captain in the remaining site.

21. A [script://] input sends data to a Splunk forwarder using which method?

A. UDP stream
B. TCP stream
C. Temporary file
D. STDOUT/STDERR

22. A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer?

A. The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer’s environment.
B. While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
C. Searching hot and warm buckets results in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
D. Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

23. An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week’s worth of data and are quite sensitive to search performance. Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

A. frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
B. maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
C. maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
D. frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

24. A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?

A. Indexer
B. Universal forwarder
C. Search head
D. Heavy forwarder

25. The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?

A. 1. Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server. 3. Decommission old peers one at a time. 4. Remove old peers from the CM’s list. 5. Update forwarders to forward to the new peers.
B. 1. Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers. 3. Decommission old peers one at a time. 4. Remove old peers from the CM’s list. 5. Update forwarders to forward to the new peers.
C. 1. Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server. 3. Update forwarders to forward to the new peers. 4. Decommission old peers on at a time. 5. Restart the cluster master (CM).
D. 1. Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers. 3. Update forwarders to forward to the new peers. 4. Decommission old peers one at a time. 5. Remove old peers from the CM’s list.

26. Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:

Which file(s) will actually be actively monitored?

A. /var/log/secure
B. /var/log/messages
C. /var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure
D. /var/log/secure, /var/log/messages

28. How could a role in which all users must specify an index=clause in all searches be configured?

A. Set the authorize.conf setting: srchIndexesDefault to no value.
B. Set the authorize.conf setting: srchFilter to no value.
C. Set the authorize.conf setting: srchIndexesAllowed to no value.
D. Set the authorize.conf setting: srchJobsQuota to no value.

29. In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

A. For non-production environments to keep their configurations in sync.
B. To ensure every customer has exactly the same base settings.
C. To provide settings that do not need to be customized to meet customer requirements.
D. To provide settings that can be customized to meet customer requirements.

30. Data can be onboarded using apps, Splunk Web, or the CLI. Which is the PS preferred method?

A. Create UDP input port 9997 on a UF.
B. Use the add data wizard in Splunk Web.
C. Use the inputs.conf file.
D. Use a scripted input to monitor a log file.