SPLK-3001 Exam Questions

Total 97 Questions

Last Updated Exam : 16-Dec-2024

Which indexes are searched by default for CIM data models?


A.

notable and default


B.

summary and notable


C.

_internal and summary


D.

All indexes





D.
  

All indexes



Reference: https://answers.splunk.com/answers/600354/indexes-searched-by-cim-datamodels.
html

What tools does the Risk Analysis dashboard provide?


A.

High risk threats.


B.

Notable event domains displayed by risk score.


C.

A display of the highest risk assets and identities.


D.

Key indicators showing the highest probability correlation searches in the environment





C.
  

A display of the highest risk assets and identities.



Reference: https://docs.splunk.com/Documentation/ES/6.1.0/User/RiskAnalysis

Which two fields combine to create the Urgency of a notable event?


A.

Priority and Severity.


B.

Priority and Criticality.


C.

Criticality and Severity.


D.

Precedence and Time.





A.
  

Priority and Severity.



Reference: https://docs.splunk.com/Documentation/ES/6.4.1/User/Howurgencyisassigned

Where is the Add-On Builder available from?


A.

GitHub


B.

SplunkBase


C.

www.splunk.com


D.

The ES installation package





B.
  

SplunkBase



Reference:
https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Installation

Where are attachments to investigations stored?


A.

KV Store


B.

notable index


C.

attachments.csv lookup


D.

<splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments





A.
  

KV Store



Reference: https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageinvestigations

Which tool Is used to update indexers In E5?


A.

Index Updater


B.

Distributed Configuration Management


C.

indexes.conf


D.

Splunk_TA_ForIndexeres. spl





B.
  

Distributed Configuration Management



When using distributed configuration management to create the Splunk_TA_ForIndexers package, which three files can be included?


A.

indexes.conf, props.conf, transforms.conf


B.

web.conf, props.conf, transforms.conf


C.

inputs.conf, props.conf, transforms.conf


D.

eventtypes.conf, indexes.conf, tags.conf





A.
  

indexes.conf, props.conf, transforms.conf



A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?


A.

Install ES on the existing search head.


B.

Add a new search head and install ES on it.


C.

Increase the number of CPUs and amount of memory on the search head, then install ES.


D.

Delete the non-CIM-compliant apps from the search head, then install ES.





B.
  

Add a new search head and install ES on it.



Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

Which of these Is a benefit of data normalization?


A.

Reports run faster because normalized data models can be optimized for better
performance.


B.

Dashboards take longer to build.


C.

Searches can be built no matter the specific source technology for a normalized data type.


D.

Forwarder-based inputs are more efficient.





A.
  

Reports run faster because normalized data models can be optimized for better
performance.



When ES content is exported, an app with a .spl extension is automatically created. What is the best practice when exporting and importing updates to ES content?


A.

Use new app names each time content is exported.


B.

Do not use the .spl extension when naming an export.


C.

Always include existing and new content for each export.


D.

Either use new app names or always include both existing and new content.





D.
  

Either use new app names or always include both existing and new content.



Explanation:
Either use new app names each time (which could be difficult to manage) or make sure you
always include all content (old and new) each time you export


Page 1 out of 10 Pages

Splunk SPLK-3001 Exam Details


Exam Code: SPLK-3001
Exam Name: Splunk Enterprise Security Certified Admin Exam
Certification Name: Splunk Enterprise Security Certified Admin Certification
Certification Provider: Splunk
Exam Questions: 48
Type of Questions: MCQs
Exam Time: 60 minutes
Passing Score: 70%
Exam Price: $130
Prerequisites: None