SPLK-3001 Online Practice Questions and Answers

Which of these Is a benefit of data normalization?

A. Reports run faster because normalized data models can be optimized for better performance.

B. Dashboards take longer to build.

C. Searches can be built no matter the specific source technology for a normalized data type.

D. Forwarder-based inputs are more efficient.

Where is detailed information about identities stored?

A. The Identity Investigator index.

B. The Access Anomalies collection.

C. The User Activity index.

D. The Identity Lookup CSV file.

After installing Enterprise Security, the distributed configuration management tool can be used to create which app to configure indexers?

A. Splunk_DS_ForIndexers.spl

B. Splunk_ES_ForIndexers.spl

C. Splunk_SA_ForIndexers.spl

D. Splunk_TA_ForIndexers.spl

Where is the Add-On Builder available from?

A. GitHub

B. SplunkBase

C. www.splunk.com

D. The ES installation package

How does ES know local customer domain names so it can detect internal vs. external emails?

A. Web and email domain names are set in General -> General Configuration.

B. ES uses the User Activity index and applies machine learning to determine internal and external domains.

C. The Corporate Web and Email Domain Lookups are edited during initial configuration.

D. ES extracts local email and web domains automatically from SMTP and HTTP logs.

Which tool Is used to update indexers In E5?

A. Index Updater

B. Distributed Configuration Management

C. indexes.conf

D. Splunk_TA_ForIndexeres. spl

Accelerated data requires approximately how many times the daily data volume of additional storage space per year?

A. 3.4

B. 5.7

C. 1.0

D. 2.5

When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?

A. indexes.conf, props.conf, transforms.conf

B. web.conf, props.conf, transforms.conf

C. inputs.conf, props.conf, transforms.conf

D. eventtypes.conf, indexes.conf, tags.conf

Which of the following are examples of sources for events in the endpoint security domain dashboards?

A. REST API invocations.

B. Investigation final results status.

C. Workstations, notebooks, and point-of-sale systems.

D. Lifecycle auditing of incidents, from assignment to resolution.

What tools does the Risk Analysis dashboard provide?

A. High risk threats.

B. Notable event domains displayed by risk score.

C. A display of the highest risk assets and identities.

D. Key indicators showing the highest probability correlation searches in the environment.

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

A. Install ES on the existing search head.

B. Add a new search head and install ES on it.

C. Increase the number of CPUs and amount of memory on the search head, then install ES.

D. Delete the non-CIM-compliant apps from the search head, then install ES.

What can be exported from ES using the Content Management page?

A. Only correlation searches, managed lookups, and glass tables.

B. Only correlation searches.

C. Any content type listed in the Content Management page.

D. Only correlation searches, glass tables, and workbench panels.

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.

Which of the following options is most likely to help performance?

A. Change the search heads to do local indexing of summary searches.

B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.

C. Increase memory and CPUs on the search head(s) and add additional indexers.

D. If indexed realtime search is enabled, disable it for the notable index.

Which of the following are data models used by ES? (Choose all that apply)

A. Web

B. Anomalies

C. Authentication

D. Network Traffic

Which argument to the | tstats command restricts the search to summarized data only?

A. summaries=t

B. summaries=all

C. summariesonly=t

D. summariesonly=all