Splunk Core Certified Consultant Sample Questions

The highly recognised Splunk certification programmes are created to recognise exceptional, well-trained, and in-demand personnel who are seen as authorities in their disciplines by other professionals in the sector. The Splunk Core Certified Consultant certification exam is the last test in the Splunk Core Certified Consultant track. This extremely technical certification exam evaluates a candidate’s knowledge and abilities in the Splunk Deployment Methodology and best practises for planning, data collection, sizing, managing, and debugging a standard with indexer and search head clustering.The article provides a list of Splunk Core Certified Consultant Sample Questions that cover core exam topics including –

•  Deploying Splunk 
• Monitoring Console
• Access and Roles
• Data Collection
• Indexing 
• Search
• Configuration Management
• Indexer Clustering 
• Search Head Clustering 

Advanced Sample Questions

Which of the following is not a valid Splunk deployment method?

• a. Splunk Light
• b. Splunk Enterprise
• c. Splunk Hunk
• d. Splunk Cloud

Answer: c.

Explanation: Splunk Hunk is not a valid Splunk deployment method. Hunk was the name for the Splunk App for Hadoop and was used for analyzing data stored in Hadoop. However, it has been discontinued and is no longer available.

What is the purpose of the Splunk Deployment Server?

• a. To manage Splunk licenses across multiple servers.
• b. To configure and deploy apps across multiple Splunk instances.
• c. To collect and index log data from various sources.

Answer: b.

Explanation: The purpose of the Splunk Deployment Server is to configure and deploy apps across multiple Splunk instances. It allows administrators to manage app configurations and updates from a central location, saving time and reducing errors.

Which of the following is not a valid type of Splunk license?

• a. Free
• b. Trial
• c. Standard
• d. Enterprise

Answer: c.

Explanation: There is no Standard license type for Splunk. Splunk offers a Free license that allows users to index up to 500 MB of data per day, a Trial license that provides a 60-day evaluation period, and various Enterprise licenses that offer higher levels of functionality and support.

What is the purpose of the Splunk Search Head?

• a. To collect and index log data from various sources.
• b. To distribute search requests across multiple Splunk indexers.
• c. To visualize and analyze data stored in the Splunk index.

Answer: c.

Explanation: The purpose of the Splunk Search Head is to visualize and analyze data stored in the Splunk index. It allows users to create custom dashboards, reports, and alerts, and to search and analyze data using the Splunk Search Processing Language (SPL).

Which of the following is a valid Splunk search command for filtering events based on a specific field value?

• a. sort
• b. dedup
• c. stats
• d. where

Answer: d.

Explanation: The “where” command is a valid Splunk search command for filtering events based on a specific field value. For example, the search query “index=main where status=200” would return all events from the “main” index where the “status” field is equal to 200.

What is the purpose of the Splunk forwarder?

• a. To collect and index log data from various sources.
• b. To distribute search requests across multiple Splunk indexers.
• c. To send log data to a central Splunk instance for indexing and analysis.

Answer: c.

Explanation: The purpose of the Splunk forwarder is to send log data to a central Splunk instance for indexing and analysis. It collects data from various sources and sends it to one or more indexers for storage and analysis.

Which of the following is not a valid Splunk search command?

• a. search
• b. eval
• c. join
• d. filter

Answer: d.

Explanation: “filter” is not a valid Splunk search command. The correct command is “where” for filtering events based on specific field values.

What is the purpose of the Splunk indexer?

• a. To collect and index log data from various sources.
• b. To distribute search requests across multiple Splunk indexers.
• c. To store and index log data for search and analysis.

Answer: c.

Explanation: The purpose of the Splunk indexer is to store and index log data for search and analysis. It receives data from the forwarders and stores it in a searchable format that can be queried using the Splunk Search Processing Language (SPL).

Which of the following is a valid Splunk search command for calculating statistical values?

• a. dedup
• b. where
• c. stats
• d. chart

Answer: c.

Explanation: The “stats” command is a valid Splunk search command for calculating statistical values. It allows users to calculate count, sum, average, minimum, maximum, and other statistical values for events in the search results.

Which of the following is not a valid Splunk authentication method?

• a. LDAP
• b. Kerberos
• c. OAuth
• d. JWT

Answer: d.

Explanation : “JWT” is not a valid Splunk authentication method. Splunk supports authentication methods such as LDAP, Kerberos, and OAuth for user authentication and access control.

Basic Sample Questions

Q1)How does a new Splunk Instance’s server role(s) get identified by Monitoring Console (MC) at first?

• A. The MC queries the server using a REST interface.
• B. In the MC, roles are manually assigned.
• C. Distsearch.conf is read to retrieve roles.
• D. The MC automatically allocates all positions.

Correct Answer: C

Q2)What configuration file does the Monitoring Console (MC) health check configuration data reside in?

• A. healthcheck.conf
• B. alert_actions.conf
• C. distsearch.conf
• D. checklist.conf

Correct Answer: D

Q3)Which of the following about subsearches is true?

• A. Compared to other search methods, subsearches are quicker.
• B. When combining two extensive result sets, subsearches perform best.
• C. Subsearches are conducted concurrently with their outer search.
• D. Small result sets are best suited for subsearches.

Correct Answer: A

Q4)What main motivation exists for a customer’s environment to use indexer clustering?

• A. To boost resilience as the volume of searches grows.
• B. To lessen the delay in indexing.
• C. To expand a Splunk setup in order to provide higher performance capacity.
• D. To increase the availability of data buckets.

Correct Answer: D

Q5)Where should the Monitoring Console (MC) be deployed in a single indexer cluster?

• A. Deployer sharing with master cluster.
• B. License master that has 50 clients or more.
• C. Cluster master node
• D. Production Search Head

Correct Answer: C

Q6)The deployer was used by a client to install the Splunk App for AWS in a search head cluster after the customer had downloaded it from Splunkbase. One of the search head cluster members has an app dashboard that has been modified by a power user. The deployer’s instructions must be followed in order to update the app, which contains an updated dashboard. What transpires?

• A. The conflict with the upgraded dashboard used by the power user will prevent the updated dashboard from being globally distributed to all users.
• B. The conflict will prevent the search head cluster bundle from being applied.
• C. Power users will have access to the new dashboard.
• D. Power users will see their customised version of the dashboard rather than the updated one.

Correct Answer: A

Q7)After adding 1000 more clients, a customer’s deployment server is overloaded with forwarder connections. The 60-second setting for the phone home interval is the default. What is advised to lessen the amount of DS connection failures?

• A. Construct a server structure with tiers for deployment.
• B. Set a 6-second phone home interval.
• C. Set the home-interval timer on the phone to 60 seconds.
• D. A 600-second phone home interval should be increased.

Correct Answer: A

Q8)What is the Splunk PS advice for deploying apps and leveraging the deployment server?

• A. Carefully create more compact apps with repeatable configurations.
• B. Use the deployment server to just deploy Splunk PS base configurations.
• C. On forwarders, apply configurations from $SPLUNK HOME/etc/system/local and only deploy TAs via the deployment server.
• D. Carefully create larger apps with several configurations.

Correct Answer: B

Q9)Which of the subsequent processors is present in the pipeline for indexing?

• A. tcp out, syslog out
• B. Regex replacement, annotator
• C. Aggregator
• D. UTF-8, linebreaker, header

Correct Answer: D

Q10)Which configuration setting has to be change from true to false to dramatically boost data ingestion efficiency?

• A. AUTO_KV_JSON
• B. BREAK_ONLY_BEFORE_DATE
• C. SHOULD_LINEMERGE
• D. ANNOTATE_PUNCT

Correct Answer: C

Q11)A customer can replace their outdated indexers with a fresh set of hardware. How may the number of bucket replication operations during the migration process be reduced?

• A. Disable the indexing ports on the old indexers.
• B. Disable replication ports on the old indexers.
• C. Put the old indexers into manual detention.
• D. Put the old indexers into automatic detention.

Correct Answer: D

Q12)Which of the following eventualities takes place when a bucket on a clustered indexer rolls from cold to frozen?

• A. Original copies will be kept; all cloned copies will be rolled to frozen.
• B. All other indexers will still have replicas of the bucket, and the Cluster Master (CM) will assign a new primary bucket.
• C. All clustered indexers experience the bucket rolling to frozen at the same time. Nothing, 
• D. Until a local retention rule forces it to roll, replicated copies of the bucket will continue to exist on all other indexers.

Correct Answer: B

Q13)It is necessary to decommission a site from a cluster of multi-site indexers. Which of the subsequent activities is require?

• A. Null. It is impossible to shut down a site.
• B. Establish an alias to be use when sending fresh data.
• C. Take the website off the list of potential sites.
• D. Delete the site from the list of potential sites and designate a new address to which the update information should be sent.

Correct Answer: D

Q14)Since handling local Splunk users is becoming too time-consuming, a customer wishes to install LDAP. Which configuration information from the client is require to execute LDAP authentication?

• A. API: Python script with PAM/RADIUS details.
• B. LDAP server: port, bind user credentials, path/to/groups, path/to/user.
• C. LDAP server: port, bind user credentials, base DN for groups, base DN for users.
• D. LDAP REST details, base DN for groups, base DN for users.

Correct Answer: C

Q15)Six members of a search cluster (SHC) for a client are evenly distribute between two data centres (DC). Due to frequent disruptions, the customer is worried about network connectivity between the two DCs. Which statement regarding SHC resilience when a network outage occurs between the two DCs is accurate?

• A. Until network contact is restored, the SHC will operate as planned with the SHC deployer acting as the new captain.
• B. All scheduled searches inside the SHC will come to an end.
• C. The SHC will operate as expected because a SHC needs a minimum of three nodes to operate.
• D. The SHC will operate as expected because the prior active captain in the remaining sites will take over as the SHC captain.

Correct Answer: D

Q16)Which method is use to transfer data to a Splunk forwarder from a [script:/] input?

• A. UDP stream
• B. TCP stream
• C. Temporary file
• D. STDOUT/STDERR

Correct Answer: C

Q17)A customer is interest in learning how the hot, warm, and cold bucket types of Splunk affect search performance in their environment. All of the data is store on a single device via their indexers. What is the appropriate message to deliver to the client in Splunk Core Certified Consultant?

• A. The search performance characteristics for the hot, warm, and cold bucket kinds are the same in the customer’s environment.
• B. Thawed buckets are the most efficient due to their optimised structure, even if hot, warm, and cold buckets all exhibit the same search performance characteristics in the consumer environment.
• C. Because cold buckets are by default reduce in size by deleting TSIDX files to reduce storage costs, searching hot and warm buckets yields the best performance.
• D. Cold bucket searches will take longer compare to hot and warm bucket searches because cold buckets are written to a less expensive/slower storage volume (SSD).

Correct Answer: B

Q18)An indexer receives roughly 50GB of data each day at a steady and predictable rate. The client wants to keep this data available for searching for at least 30 days. They also feature hourly scheduled searches that run through a week’s worth of data and are very responsive to search performance. Which of the following sets of indexes.conf settings may be use to fulfil the requirements under ideal circumstances (no restarts, no drops or bursts in data volume), and adhering to PS best practises?

• A. frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
• B. maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
• C. maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
• D. frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

Correct Answer: B

Q19)A customer’s splunkd.log is being monitor by a Universal Forwarder (UF) with an inputs.conf. To go to an indexer, the data must pass through a heavy forwarder. What is the location of the Index time parsing?

• A. Indexer
• B. Universal forwarder
• C. Search head
• D. Heavy forwarder

Correct Answer: D

Q20)How could a role be configure so that every user must include the index=clause in every search?

• A. Set the authorize.conf setting: srchIndexesDefault to no value.
• B. Set the authorize.conf setting: srchFilter to no value.
• C. Set the authorize.conf setting: srchIndexesAllowed to no value.
• D. Set the authorize.conf setting: srchJobsQuota to no value.

Correct Answer: B