What conf file needs to be edited to set up distributed search groups?
Correct Answer: C
Explanation "You can group your search peers to facilitate searching on a subset of them. Groups of search peers are known as "distributed search groups." You specify distributed search groups in the distsearch.conf file"
SPLK-1003 Exam Question 17
Which layers are involved in Splunk configuration file layering? (select all that apply)
Correct Answer: A,B,C
Explanation https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user: Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature. App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.
SPLK-1003 Exam Question 18
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
Correct Answer: C
Explanation https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Howuserscancontroldistributedsearches "From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers, and consolidates the results when presenting them to the user."
SPLK-1003 Exam Question 19
A configuration file in a deployed app needs to be directly edited. Which steps would ensure a successful deployment to clients?
Correct Answer: C
Explanation According to the Splunk documentation1, to customize a configuration file, you need to create a new file with the same name in a local or app directory. Then, add the specific settings that you want to customize to the local configuration file. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. The Splunk Enterprise upgrade process overwrites the default directory. To deploy configuration files to deployment clients, you need to use the deployment server. The deployment server is a Splunk Enterprise instance that distributes content and updates to deployment clients2. The deployment server uses a directory called $SPLUNK_HOME/etc/deployment-apps to store the apps and configuration files that it deploys to clients2. To update the configuration files in this directory, you need to edit them manually and then run the command $SPLUNK_HOME/bin/sp1unk reload deploy-server to make the changes take effect2. Therefore, option A is incorrect because it does not include the reload command. Option B is incorrect because it makes the change on a deployment client instead of the deployment server. Option D is incorrect because it changes the default directory instead of the local directory. References: 1: How to edit a configuration file - Splunk Documentation 2: Deployment of configuration files - Splunk Community
SPLK-1003 Exam Question 20
How do you remove missing forwarders from the Monitoring Console?
