A financial services company is using Splunk Cloud Platform and has a requirement to segregate data from their trading, compliance, and retail banking applications into distinct indexes. The Splunk Cloud admin has created the indexes: `trading_prod`, `compliance_prod`, and `retail_prod`. To control access, three roles have been created: `trading_user`, `compliance_user`, and `retail_user`. Which configuration ensures that users in the `trading_user` role can only search the `trading_prod` index and no other indexes?
Q2
A Splunk Cloud administrator is configuring a monitor input on a Universal Forwarder to collect logs from `/var/log/app/`. This directory contains `access.log`, `error.log`, and `debug.log`. The administrator wants to assign different sourcetypes (`app_access`, `app_error`, `app_debug`) based on the filename. What is the most efficient method to achieve this on the data input side?
Q3
A Splunk Cloud administrator is troubleshooting an issue where events from a critical application are not being indexed. The data is sent from a Universal Forwarder to Splunk Cloud. The administrator runs the following command on the forwarder: `splunk list forward-server`. The output shows the Splunk Cloud indexer endpoint is active. What is the next logical step to diagnose the problem on the Universal Forwarder?
Q4
A Splunk Cloud admin needs to onboard a new data source that produces multi-line Java stack traces. Each event begins with a timestamp, but subsequent lines of the stack trace do not. How should the administrator configure line breaking to ensure each full stack trace is treated as a single event? Example event: ``` 2023-10-27 10:30:15,123 ERROR [main] com.example.App - An exception occurred java.lang.RuntimeException: Operation failed at com.example.Service.performAction(Service.java:42) at com.example.App.main(App.java:10) ```
Q5
True or False: In a Splunk Cloud Platform environment, a Cloud administrator can directly edit the `authorize.conf` file in the backend to create and modify user roles.
Q6Multiple answers
An e-commerce company uses the Splunk HTTP Event Collector (HEC) to ingest transaction data from a microservice. To ensure data is routed to the correct index and assigned the correct sourcetype, the developers have been instructed to include specific HEC headers. However, the Splunk Cloud admin notices all data is landing in the default index for the HEC token. Which TWO of the following could be the cause of this issue? (Select TWO)
Q7
A Splunk Cloud admin needs to mask Personally Identifiable Information (PII) from incoming web server logs. Specifically, the credit card numbers in the format `CCN=1234-5678-9012-3456` must be replaced with `CCN=XXXX-XXXX-XXXX-XXXX` at index time. Which configuration combination in `props.conf` and `transforms.conf` on the search head (or relevant parsing tier) will accomplish this?
Q8
A Splunk Cloud administrator is using a Deployment Server to manage a fleet of Universal Forwarders. A new server class, `[serverClass:linux_web_servers]`, has been created to deploy a web log collection app. However, after creating the server class, none of the target Linux servers are downloading the new app. The `whitelist.0` is correctly configured to match the hostnames. What is a common reason for this failure?
Q9
When creating a new index in Splunk Cloud Platform via the UI, what is the purpose of the 'Max Size of Entire Index' setting?
Q10
A Splunk Cloud admin is setting up a scripted input on a Linux Universal Forwarder. The script, `/opt/splunkforwarder/bin/scripts/get_metrics.sh`, runs correctly when executed manually from the command line. The `inputs.conf` stanza is as follows: ``` [script:///opt/splunkforwarder/bin/scripts/get_metrics.sh] interval = 300 sourcetype = custom_metrics index = metrics disabled = 0 ``` After configuration, no data appears in the `metrics` index. What is the most likely cause for this issue?
