Which indexes are searched by default for CIM data models?
A.
notable and default
B.
summary and notable
C.
_internal and summary
D.
All indexes
All indexes
Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-datamodels.
html
What tools does the Risk Analysis dashboard provide?
A.
High risk threats.
B.
Notable event domains displayed by risk score.
C.
A display of the highest risk assets and identities.
D.
Key indicators showing the highest probability correlation searches in the environment
A display of the highest risk assets and identities.
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis
Which two fields combine to create the Urgency of a notable event?
A.
Priority and Severity.
B.
Priority and Criticality.
C.
Criticality and Severity.
D.
Precedence and Time.
Priority and Severity.
Reference: https://docs.splunk.com/Documentation/ES/6.4.1/User/Howurgencyisassigned
Where is the Add-On Builder available from?
A.
GitHub
B.
SplunkBase
C.
www.splunk.com
D.
The ES installation package
SplunkBase
Reference:
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Installation
Where are attachments to investigations stored?
A.
KV Store
B.
notable index
C.
attachments.csv lookup
D.
<splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments
KV Store
Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations
Which tool Is used to update indexers In E5?
A.
Index Updater
B.
Distributed Configuration Management
C.
indexes.conf
D.
Splunk_TA_ForIndexeres. spl
Distributed Configuration Management
When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?
A.
indexes.conf, props.conf, transforms.conf
B.
web.conf, props.conf, transforms.conf
C.
inputs.conf, props.conf, transforms.conf
D.
eventtypes.conf, indexes.conf, tags.conf
indexes.conf, props.conf, transforms.conf
A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?
A.
Install ES on the existing search head.
B.
Add a new search head and install ES on it.
C.
Increase the number of CPUs and amount of memory on the search head, then install ES.
D.
Delete the non-CIM-compliant apps from the search head, then install ES.
Add a new search head and install ES on it.
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf
Which of these Is a benefit of data normalization?
A.
Reports run faster because normalized data models can be optimized for better
performance.
B.
Dashboards take longer to build.
C.
Searches can be built no matter the specific source technology for a normalized data type.
D.
Forwarder-based inputs are more efficient.
Reports run faster because normalized data models can be optimized for better
performance.
When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?
A.
Use new app names each time content is exported.
B.
Do not use the .spl extension when naming an export.
C.
Always include existing and new content for each export.
D.
Either use new app names or always include both existing and new content.
Either use new app names or always include both existing and new content.
Explanation:
Either use new app names each time (which could be difficult to manage) or make sure you
always include all content (old and new) each time you export