A customer site is experiencing poor performance. The UI response time is high and
searches take a very long time to run. Some operations time out and there are errors in the
scheduler logs, indicating too many concurrent searches are being started. 6 total
correlation searches are scheduled and they have already been tuned to weed out false
positives.
Which of the following options is most likely to help performance?
A.
Change the search heads to do local indexing of summary searches.
B.
Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
C.
Increase memory and CPUs on the search head(s) and add additional indexers.
D.
If indexed realtime search is enabled, disable it for the notable index.
Increase memory and CPUs on the search head(s) and add additional indexers.
How is it possible to specify an alternate location for accelerated storage?
A.
Configure storage optimization settings for the index.
B.
Update the Home Path setting in indexes, conf
C.
Use the tstatsHomePath setting in props, conf
D.
Use the tstatsHomePath Setting in indexes, conf
Use the tstatsHomePath setting in props, conf
Which settings indicated that the correlation search will be executed as new events are indexed?
A.
Always-On
B.
Real-Time
C.
Scheduled
D.
Continuous
Scheduled
Reference:
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Configurecorrelationsearches
When investigating, what is the best way to store a newly-found IOC?
A.
Paste it into Notepad.
B.
Click the “Add IOC” button.
C.
Click the “Add Artifact” button.
D.
Add it in a text note to the investigation.
Click the “Add Artifact” button.
Which of the following lookup types in Enterprise Security contains information about
known hostile IP addresses?
A.
Security domains.
B.
Threat intel.
C.
Assets.
D.
Domains.
Threat intel.
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Manageinternallookups
What kind of value is in the red box in this picture?
A.
A risk score.
B.
A source ranking.
C.
An event priority.
D.
An IP address rating.
A risk score.
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/FormateventsforHTTPEventColl
ector
Which of the following features can the Add-on Builder configure in a new add-on?
A.
Expire data.
B.
Normalize data.
C.
Summarize data.
D.
Translate data.
Normalize data.
Reference:
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Overview
Where should an ES search head be installed?
A.
On a Splunk server with top level visibility.
B.
On any Splunk server.
C.
On a server with a new install of Splunk.
D.
On a Splunk server running Splunk DB Connect.
On any Splunk server.
Reference: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Export
What is the first step when preparing to install ES?
A.
Install ES.
B.
Determine the data sources used.
C.
Determine the hardware required.
D.
Determine the size and scope of installation
Determine the size and scope of installation
Which of the following is a risk of using the Auto Deployment feature of Distributed
Configuration Management to distribute indexes.conf?
A.
Indexes might crash.
B.
Indexes might be processing.
C.
Indexes might not be reachable.
D.
Indexes have different settings.
Indexes might crash.
Which of the following actions can improve overall search performance?
A.
Disable indexed real-time search.
B.
Increase priority of all correlation searches.
C.
Reduce the frequency (schedule) of lower-priority correlation searches.
D.
Add notable event suppressions for correlation searches with high numbers of false positives.
Disable indexed real-time search.
Which argument to the | tstats command restricts the search to summarized data only?
A.
summaries=t
B.
summaries=all
C.
summariesonly=t
D.
summariesonly=all
summariesonly=t
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Acceleratedatamodels
| Page 3 out of 9 Pages |
| Previous |