Splunk SPLK-1003 - Splunk Enterprise Certified Admin

Using the provided DUO/Splunk reference URLhttps://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use.https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport

"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."

The outputs.conf file defines how forwarders send data to receivers1. You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit outputs.conf1.

The [tcpout:…] stanza specifies a group of forwarding targets that receive data over TCP2. You can define multiple groups with different names and settings2.

The server setting lists one or more receiving hosts for the group, separated by commas2. If you specify multiple hosts, the forwarder load balances the data across them2.

Therefore, option A is correct, because the forwarder will send data to both inputsl.mysplunkhfs.corp:9997 and inputs2.mysplunkhfs.corp:9997, even if 145.188.183.184:9097 is unreachable.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

"To determine the order of directories for evaluating configuration file precendence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user"

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

#

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Scroll down to section titled, How the cluster handles concurrent search quotas, "Overall search quota. This quota determines the maximum number of historical searches (combined scheduled and ad hoc) that the cluster can run concurrently. This quota is configured with max_Searches_per_cpu and related settings in limits.conf."

The correct answer is C and D. A heavy forwarder and an indexer are the Splunk components that can break a stream of syslog inputs into individual events.

A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, but it does not perform any parsing or indexing on the data. A search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data.

A heavy forwarder is a Splunk component that can perform parsing, filtering, routing, and aggregation on the data before forwarding it to indexers or other destinations. A heavy forwarder can break a stream of syslog inputs into individual events based on the line breaker and should linemerge settings in the inputs.conf file1.

An indexer is a Splunk component that stores and indexes data, making it searchable. An indexer can also break a stream of syslog inputs into individual events based on the props.conf file settings, such as TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, and line_breaker2.

A Splunk component is a software process that performs a specific function in a Splunk deployment, such as data collection, data processing, data storage, data search, or data visualization.

Syslog is a standard protocol for logging messages from network devices, such as routers, switches, firewalls, or servers. Syslog messages are typically sent over UDP or TCP to a central syslog server or a Splunk instance.

Breaking a stream of syslog inputs into individual events means separating the data into discrete records that can be indexed and searched by Splunk. Each event should have a timestamp, a host, a source, and a sourcetype, which are the default fields that Splunk assigns to the data.