When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

1. A. Auto
2. B. None
3. C. True
4. D. False

Correct Answer: C

Which of the following is a best practice to maximize indexing performance?

1. A. Use automatic sourcetyping.
2. B. Use the Splunk default settings.
3. C. Not use pre-trained source types.
4. D. Minimize configuration generality.

Correct Answer: D

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

1. A. SPLUNK_HOME/var/lib/searchpeers
2. B. SPLUNK_HOME/var/log/searchpeers
3. C. SPLUNK_HOME/var/run/searchpeers
4. D. SPLUNK_HOME/var/spool/searchpeers

Correct Answer: C

A customer has installed a 500GB Enterprise license. They also purchased and installed a 300GB, no enforcement license on the same license master. How much data can the customer ingest before search
is locked out?

1. A. 300G
2. B. After this limit, search is locked ou
3. C. B.500G
4. D. After this limit, search is locked out.
5. E. 800G
6. F. After this limit, search is locked out.
7. G. Search is not locked ou
8. H. Violations are still recorded.

Correct Answer: D

Which of the following can a Splunk diag contain?

1. A. Search history, Splunk users and their roles, running processes, indexed data
2. B. Server specs, current open connections, internal Splunk log files, index listings
3. C. KV store listings, internal Splunk log files, search peer bundles listings, indexed data
4. D. Splunk platform configuration details, Splunk users and their roles, current open connections, index listings

Correct Answer: B