Splunk SPLK-3001 Online Practice Questions and Exam Preparation

Splunk SPLK-3001 Online Questions & Answers

• Question 1:

  Which of the following is a key feature of a glass table?

  A. Rigidity.
  B. Customization.
  C. Interactive investigations.
  D. Strong data for later retrieval.
  B. Customization.

• Question 2:

  To which of the following should the ES application be uploaded?

  A. The indexer.
  B. The KV Store.
  C. The search head.
  D. The dedicated forwarder.
  C. The search head.

• Question 3:

  When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?

  A. Use new app names each time content is exported.
  B. Do not use the .spl extension when naming an export.
  C. Always include existing and new content for each export.
  D. Either use new app names or always include both existing and new content.
  D. Either use new app names or always include both existing and new content.

• Question 4:

  Which of the following threat intelligence types can ES download? (Choose all that apply)

  A. Text
  B. STIX/TAXII
  C. VulnScanSPL
  D. SplunkEnterpriseThreatGenerator
  A. Text
  B. STIX/TAXII

• Question 5:

  Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events.

  How would the admin restrict these users from being able to change the status of Resolved notable events to Closed?

  A. In Enterprise Security, give the ess_user role the Own Notable Events permission.
  B. From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status.
  C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
  D. From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability.
  C. From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.

• Question 6:

  The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

  A. Web
  B. Risk
  C. Performance
  D. Authentication
  D. Authentication

• Question 7:

  Which of the following is part of tuning correlation searches for a new ES installation?

  A. Configuring correlation notable event index.
  B. Configuring correlation permissions.
  C. Configuring correlation adaptive responses.
  D. Configuring correlation result storage.
  A. Configuring correlation notable event index.

• Question 8:

  The option to create a Short ID for a notable event is located where?

  A. The Additional Fields.
  B. The Event Details.
  C. The Contributing Events.
  D. The Description.
  B. The Event Details.

• Question 9:

  Which argument to the | tstats command restricts the search to summarized data only?

  A. summaries=t
  B. summaries=all
  C. summariesonly=t
  D. summariesonly=all
  C. summariesonly=t

• Question 10:

  At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

  A. When adding apps to the deployment server.
  B. Splunk_TA_ForIndexers.spl is installed first.
  C. After installing ES on the search head(s) and running the distributed configuration management tool.
  D. Splunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.
  C. After installing ES on the search head(s) and running the distributed configuration management tool.