SPLK-1003 Questions and Answers

Users log on to the search head and run reports: – The search head dispatches searches to the peers – Peers run searches in parallel and return their portion of results – The search head consolidates the individual results and prepares reports

"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://:]

*Configures the input to listen on a specific TCP network port.

*If a makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify , this stanza matches all connections on the specified port.

*Generates events with source set to "tcp:", for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw"

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Add your data to Splunk Enterprise. With Splunk Enterprise, you can add data using Splunk Web or Splunk Apps. In addition to these methods, you also can use the following methods. -The Splunk Command Line Interface (CLI) -The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the details are saved in a configuartion file on Splunk Enterprise indexer and heavy forwarder instances.

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Quoting the following Splunk URL reference https://docs.splunk.com/Documentation/Splunk/8.2.2/DMC/DMCprerequisites "Monitoring Console setup prerequisites. Forward internal logs (both $SPLUNK_HOME/car/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. Without this step, many dashboards will lack data."

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404

https://docs.splunk.com/Splexicon:Searchpeer

"A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology..."

https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/Dataintegritycontrol#:~:text=When%20you%20enable%20data%20integrity%20control%2C%20Splunk%20Enterprise%20computes%20hashes,it%20to%20a%20l1Hashes%20file .

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

"Configure character set encoding. Splunk software attempts to apply UTF-8 encoding to your scources by default. If a source foesn't use UTF-8 encoding or is a non-ASCII file, Splunk software tries to convert data from the source to UTF-8 encoding unless you specify a character set to use by setting the CHARSET key in the props.conf file."

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."