When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?
Correct Answer: C
The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps. A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called "deployment clients". A deployment client can be a universal forwarder, a non-clustered indexer, or a search head1. A deployment app is a directory that contains any content that you want to download to a set of deployment clients. The content can include a Splunk Enterprise app, a set of Splunk Enterprise configurations, or other content, such as scripts, images, and supporting files2. You create a deployment app by creating a directory for it on the deployment server. The default location is $SPLUNK_HOME/etc/deployment-apps, but this is configurable through the repositoryLocation attribute in serverclass.conf. Underneath this location, each app must have its own subdirectory. The name of the subdirectory serves as the app name in the forwarder management interface2. The other options are incorrect because: A) On Universal Forwarder, $SPLUNK_HOME/etc/apps. This is the location where the deployment app resides after it is downloaded from the deployment server to the universal forwarder. It is not the location of the app before it is deployed2. B) On Deployment Server, $SPLUNK_HOME/etc/apps. This is the location where the apps that are specific to the deployment server itself reside. It is not the location where the deployment apps for the clients are stored2. D) On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps. This is not a valid location for any app on a universal forwarder. The universal forwarder does not act as a deployment server and does not store deployment apps3.
Question 2
An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)
Correct Answer: C,D
Question 3
Which Splunk component performs indexing and responds to search requests from the search head?
Correct Answer: B
Explanation https://docs.splunk.com/Splexicon:Searchpeer "A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology..."
Question 4
All search-time field extractions should be specified on which Splunk component?
Correct Answer: D
Explanation Search-time field extractions are the process of extracting fields from events after they are indexed. Search-time field extractions are specified on the search head, which is the Splunk component that handles searching and reporting. Search-time field extractions are configured in props.conf and transforms.conf files, which are located in the etc/system/local directory on the search head. Therefore, option D is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About fields - Splunk Documentation]
Question 5
Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?
