Free Splunk SPLK-5002 Practice Exam with Questions & Answers | Set: 3

If there is a delay in data being indexed from a remote location, even though the Universal Forwarder (UF) is correctly configured, the issue is likely a queue blockage or network latency.

Steps to Diagnose and Fix Forwarder Delays:

Check Forwarder Logs (splunkd.log) for Queue Issues (A)

Look for messages likeTcpOutAutoLoadBalancedorQueue is full.

If queues are full, events are stuck at the forwarder and not reaching the indexer.

Monitor Forwarder Health Usingmetrics.log

Useindex=_internal source=*metrics.log* group=queueto check queue performance.

Why Usetstatsfor Faster Searches?

When a cybersecurity engineer experiences delays in retrieving indexed data, the best way to improve search performance is to usetstatsinstead of raw searches.

????What iststats?tstatsis a high-performance command that queries data from indexed fields only, rather than scanning raw events. This makes searches significantly faster and more efficient.

????Why is This the Best Approach?

tstatssearches are 10-100x faster than raw event searches.

It leverages metadata and indexed fields, reducing search load.

It minimizes memory and CPU usage on the search head and indexers.

????Example Use Case:????Scenario: The SOC team is investigating failed logins across multiple indexers.✅Using a raw search:

index=security sourcetype=auth_logs action=failed | stats count by user

????Problem: This query scans millions of raw events, causing slow performance.

✅Optimized usingtstats:

| tstats count where index=security sourcetype=auth_logs action=failed by user

✅Advantage: Faster results without scanning raw events.

Why Not the Other Options?

❌A. Increase search head memory allocation – May help, but inefficient queries will still slow down searches.❌C. Configure a search head cluster – A single search head isn't necessarily the problem; improvingsearch performance is more effective.❌D. Implement accelerated data models – Useful for prebuilt dashboards, but won't improve ad-hoc searches.

How Splunk SOAR Improves Phishing Response?

Phishing attacks require fast detection and response. Manual investigation delays can be eliminated using Splunk SOAR automation.

????Why Use Playbooks for Automated Email Triage? (Answer B)✅Extracts email headers and attachments for analysis✅Checks links & attachments against threat intelligence feeds✅Automatically quarantines or deletes malicious emails✅Escalates high-risk cases to SOC analysts

????Example Playbook Workflow in Splunk SOAR:????Scenario: A suspicious email is reported.✅Splunk SOAR playbook automatically:

Extracts sender details & checks against threat intelligence

Analyzes URLs & attachments using VirusTotal/Sandboxing

Tags the email as "Malicious" or "Safe"

Quarantines the email & alerts SOC analysts

Why Not the Other Options?

❌A. Prioritizing phishing cases manually – Still requires manual effort, leading to delays.❌C. Assigning cases to analysts in real-time – Doesn’t solve the issue of slow manual investigations.❌D. Increasing the indexing frequency of email logs – Helps with log retrieval but doesn’t automate phishing response.

References & Learning Resources

????Splunk SOAR Phishing Playbook Guide: https://docs.splunk.com/Documentation/SOAR ????Phishing Detection Automation in Splunk: https://splunkbase.splunk.com ????Email Threat Intelligence with SOAR: https://www.splunk.com/en_us/blog/security

Configurations Required for Data Normalization in Splunk

Data normalization ensures consistent field naming and event structuring, especially for Splunk Common Information Model (CIM) compliance.

✅1. props.conf (A)

Defines how data is parsed and indexed.

Controls field extractions, event breaking, and timestamp recognition.

Example:

Assigns custom sourcetypes and defines regex-based field extraction.

✅2. transforms.conf (B)

Used for data transformation, lookup table mapping, and field aliasing.

Example:

Normalizes firewall logs by renaming src_ip → src to align with CIM.

❌Incorrect Answers:

C. savedsearches.conf → Defines scheduled searches, not data normalization.

D. authorize.conf → Manages user permissions, not data normalization.

E. eventtypes.conf → Groups events into categories but doesn’t modify data structure.

????Additional Resources:

Splunk Data Normalization Guide

Understanding props.conf and transforms.conf