SPLK-3001 Practice Test

Which of the following are data models used by ES? (Choose all that apply)

A.

Web

B.

Anomalies

C.

Authentication

D.

Network Traffic

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

A.

$SPLUNK_HOME/etc/master-apps/

B.

$SPLUNK_HOME/etc/system/local/

C.

$SPLUNK_HOME/etc/shcluster/apps

D.

$SPLUNK_HOME/var/run/searchpeers

Which lookup table does the Default Account Activity Detected correlation search use to flag known default accounts?

A.

Administrative Identities

B.

Local User Intel

C.

Identities

D.

Privileged Accounts

How is notable event urgency calculated?

A.

Asset priority and threat weight.

B.

Alert severity found by the correlation search.

C.

Asset or identity risk and severity found by the correlation search.

D.

Severity set by the correlation search and priority assigned to the associated asset or identity.

A customer site is experiencing poor performance. The UI response time is high and
searches take a very long time to run. Some operations time out and there are errors in the
scheduler logs, indicating too many concurrent searches are being started. 6 total
correlation searches are scheduled and they have already been tuned to weed out false
positives.
Which of the following options is most likely to help performance?

A.

Change the search heads to do local indexing of summary searches.

B.

Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.

C.

Increase memory and CPUs on the search head(s) and add additional indexers.

D.

If indexed realtime search is enabled, disable it for the notable index.