SPLUNK ADMIN EXAM QUESTIONS
WITH CORRECT ANSWERS
Which layer receives and stores data from forwarders, and searches data in response
to user requests?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- b) Indexing/Parsing
Which layer monitors data sources and forwards data, and is the best practice method
for data collection?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- c) Inputs
What type of architecture is best for testing, POCs, personal use or learning?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- a) Single-server, standalone
What type of architecture provides the best options for scaling in a variety of ways?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- c) Distributed
Which of the following is NOT true about the index data integrity check?
a) It provides a way to validate that data has not been tampered with after indexing.
b) It produces calculated hash files for auditing and legal purposes.
c) It protects data in-flight from forwarders.
d) It works on the index level (including clustering). - Answer- c) It protects data in-flight
from forwarders.
Which of the following are true?
,a) High-volume indexes should have up to 10 hot buckets
b) New indexes default to 3 hot buckets
c) If it is likely an index will receive events that are not in time-sequence order, you
should increase the number of hot buckets.
d) Incorrect retention settings can cause premature bucket rotation or even stop Splunk.
- Answer- All
Which installer will you use to install the Search Head?
a) Splunk Enterprise
b) Splunk Universal Forwarder - Answer- a) Splunk Enterprise
When you install Splunk on a Windows OS, you also have to configure the boot-start.
True or False - Answer- False. You only need to do that on a Linux installation. Splunk
must be manually started on *NIX until boot-start is enabled.
The default Splunk Web port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- c) 8000
The default splunkd port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- b) 8089
The default Web app-server proxy port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- d) 8065 is used by the python-based application server.
The default KV store port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- 8191
, What type of architecture includes all features on the main Splunk server, except for
forwarders which are installed at the data source?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- b) Basic
The universal forwarder requires significant resources on hosts systems in order to
ensure that no data is lost in transmission to the indexer.
True or False - Answer- False. The UF requires minimal resources and is typically
installed on the machines that produce the data.
Which layer allows users to submit queries using SPL, and consolidates and renders
visualizations of the data for users?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- a) Searching
Which of the following statements is false?
a) For input, Splunk must be able to access data sources.
b) It is best to run Splunk as a super-user, such as root on *NIX or administrator on
Windows.
c) The Splunk account needs to access scripts used for inputs and alerts.
d) On Windows, you should use a domain account if Splunk has to connect to other
servers, otherwise use a local account that can run services.
True or False. - Answer- b) It is best to run Splunk as a super-user, such as root on
*NIX or administrator on Windows.
Which of the following statements is true?
a) It is not best-practice to use a time synchronization service such as NTP
b) Splunk services do not depend on accurate time
c) Clock skew between hosts can affect search results
d) Indexers and production servers do not need standardized time config - Answer- c)
Clock skew between hosts can affect search results
Which of the following are true statements about splunkd?
a) It spawns and controls Splunk child processes
b) It runs on port 8089 by default
WITH CORRECT ANSWERS
Which layer receives and stores data from forwarders, and searches data in response
to user requests?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- b) Indexing/Parsing
Which layer monitors data sources and forwards data, and is the best practice method
for data collection?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- c) Inputs
What type of architecture is best for testing, POCs, personal use or learning?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- a) Single-server, standalone
What type of architecture provides the best options for scaling in a variety of ways?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- c) Distributed
Which of the following is NOT true about the index data integrity check?
a) It provides a way to validate that data has not been tampered with after indexing.
b) It produces calculated hash files for auditing and legal purposes.
c) It protects data in-flight from forwarders.
d) It works on the index level (including clustering). - Answer- c) It protects data in-flight
from forwarders.
Which of the following are true?
,a) High-volume indexes should have up to 10 hot buckets
b) New indexes default to 3 hot buckets
c) If it is likely an index will receive events that are not in time-sequence order, you
should increase the number of hot buckets.
d) Incorrect retention settings can cause premature bucket rotation or even stop Splunk.
- Answer- All
Which installer will you use to install the Search Head?
a) Splunk Enterprise
b) Splunk Universal Forwarder - Answer- a) Splunk Enterprise
When you install Splunk on a Windows OS, you also have to configure the boot-start.
True or False - Answer- False. You only need to do that on a Linux installation. Splunk
must be manually started on *NIX until boot-start is enabled.
The default Splunk Web port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- c) 8000
The default splunkd port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- b) 8089
The default Web app-server proxy port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- d) 8065 is used by the python-based application server.
The default KV store port is:
a) 8191
b) 8089
c) 8000
d) 8065 - Answer- 8191
, What type of architecture includes all features on the main Splunk server, except for
forwarders which are installed at the data source?
a) Single-server, standalone
b) Basic
c) Distributed - Answer- b) Basic
The universal forwarder requires significant resources on hosts systems in order to
ensure that no data is lost in transmission to the indexer.
True or False - Answer- False. The UF requires minimal resources and is typically
installed on the machines that produce the data.
Which layer allows users to submit queries using SPL, and consolidates and renders
visualizations of the data for users?
a) Searching
b) Indexing/Parsing
c) Inputs - Answer- a) Searching
Which of the following statements is false?
a) For input, Splunk must be able to access data sources.
b) It is best to run Splunk as a super-user, such as root on *NIX or administrator on
Windows.
c) The Splunk account needs to access scripts used for inputs and alerts.
d) On Windows, you should use a domain account if Splunk has to connect to other
servers, otherwise use a local account that can run services.
True or False. - Answer- b) It is best to run Splunk as a super-user, such as root on
*NIX or administrator on Windows.
Which of the following statements is true?
a) It is not best-practice to use a time synchronization service such as NTP
b) Splunk services do not depend on accurate time
c) Clock skew between hosts can affect search results
d) Indexers and production servers do not need standardized time config - Answer- c)
Clock skew between hosts can affect search results
Which of the following are true statements about splunkd?
a) It spawns and controls Splunk child processes
b) It runs on port 8089 by default
