Splunk Updated SPLK-5002 Exam Questions and Answers by moses

Splunk SOAR (Security Orchestration, Automation, and Response) helps SOC teams automate threat detection, investigation, and response by integrating security tools and orchestrating workflows.

Primary Purpose of Splunk SOAR:

Automates Security Tasks (B)

Reduces manual efforts by using playbooks to handle routine incidents automatically.

Accelerates threat mitigation by automating response actions (e.g., blocking malicious IPs, isolating endpoints).

Orchestrates Security Workflows (B)

Connects SIEM, threat intelligence, firewalls, endpoint security, and ITSM tools into a unified security workflow.

Ensures faster and more effective threat response across multiple security tools.

If a user queries an index during a high-priority incident but sees incomplete results, it is likely that the indexers are overloaded, causing queue bottlenecks.

Why Indexer Queue Capacity Issues Cause Incomplete Results:

When indexing queues fill up, incoming data cannot be processed efficiently.

Search results may be incomplete or delayed if events are still in the indexing queue and not fully written to disk.

Heavy search loads during incidents can also increase pressure on indexers.

How to Fix It:

Monitor indexing queues via the Monitoring Console (indexing>indexing performance).

Checkmetrics.logon indexers formax_queue_size_exceededwarnings.

Increase indexer capacity or optimize search scheduling to reduce load.

Configurations Required for Data Normalization in Splunk

Data normalization ensures consistent field naming and event structuring, especially for Splunk Common Information Model (CIM) compliance.

✅1. props.conf (A)

Defines how data is parsed and indexed.

Controls field extractions, event breaking, and timestamp recognition.

Example:

Assigns custom sourcetypes and defines regex-based field extraction.

✅2. transforms.conf (B)

Used for data transformation, lookup table mapping, and field aliasing.

Example:

Normalizes firewall logs by renaming src_ip → src to align with CIM.

❌Incorrect Answers:

C. savedsearches.conf → Defines scheduled searches, not data normalization.

D. authorize.conf → Manages user permissions, not data normalization.

E. eventtypes.conf → Groups events into categories but doesn’t modify data structure.

????Additional Resources:

Splunk Data Normalization Guide

Understanding props.conf and transforms.conf