Spring Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk Enterprise Certified Architect > SPLK-2002

SPLK-2002 Splunk Enterprise Certified Architect Question and Answers

Question # 4

(Where can files be placed in a configuration bundle on a search peer that will persist after a new configuration bundle has been deployed?)

A.

In the $SPLUNK_HOME/etc/slave-apps//local folder.

B.

In the $SPLUNK_HOME/etc/master-apps//local folder.

C.

Nowhere; the entire configuration bundle is overwritten with each push.

D.

In the $SPLUNK_HOME/etc/slave-apps/_cluster/local folder.

Full Access
Question # 5

(A customer creates a saved search that runs on a specific interval. Which internal Splunk log should be viewed to determine if the search ran recently?)

A.

metrics.log

B.

kvstore.log

C.

scheduler.log

D.

btool.log

Full Access
Question # 6

When preparing to ingest a new data source, which of the following is optional in the data source assessment?

A.

Data format

B.

Data location

C.

Data volume

D.

Data retention

Full Access
Question # 7

In splunkd. log events written to the _internal index, which field identifies the specific log channel?

A.

component

B.

source

C.

sourcetype

D.

channel

Full Access
Question # 8

Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

A.

Identify number of scheduled or real-time searches.

B.

Validate if this Technical Add-On enables event data for a data model.

C.

Identify the maximum number of forwarders Technical Add-On can support.

D.

Verify if Technical Add-On needs to be installed onto both a search head or indexer.

Full Access
Question # 9

Which of the following commands is used to clear the KV store?

A.

splunk clean kvstore

B.

splunk clear kvstore

C.

splunk delete kvstore

D.

splunk reinitialize kvstore

Full Access
Question # 10

A search head cluster member contains the following in its server .conf. What is the Splunk server name of this member?

A.

node1

B.

shc4

C.

idxc2

D.

node3

Full Access
Question # 11

(Which of the following is a minimum search head specification for a distributed Splunk environment?)

A.

A 1Gb Ethernet NIC, optional 2nd NIC for a management network.

B.

An x86 32-bit chip architecture.

C.

128 GB RAM.

D.

Two physical CPU cores, or four vCPU at 2GHz or greater speed per core.

Full Access
Question # 12

A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?

A.

Two indexers not in a cluster, assuming users run many long searches.

B.

Three indexers not in a cluster, assuming a long data retention period.

C.

Two indexers clustered, assuming high availability is the greatest priority.

D.

Two indexers clustered, assuming a high volume of saved/scheduled searches.

Full Access
Question # 13

(A new Splunk Enterprise deployment is being architected, and the customer wants to ensure that the data to be indexed is encrypted. Where should TLS be turned on in the Splunk deployment?)

A.

Deployment server to deployment clients.

B.

Splunk forwarders to indexers.

C.

Indexer cluster peer nodes.

D.

Browser to Splunk Web.

Full Access
Question # 14

Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?

A.

Setting the cluster search factor to N-1.

B.

Increasing the number of buckets per index.

C.

Decreasing the data model acceleration range.

D.

Setting the cluster replication factor to N-1.

Full Access
Question # 15

(Which of the following has no impact on search performance?)

A.

Decreasing the phone home interval for deployment clients.

B.

Increasing the number of indexers in the indexer tier.

C.

Allocating compute and memory resources with Workload Management.

D.

Increasing the number of search heads in a Search Head Cluster.

Full Access
Question # 16

A Splunk deployment is being architected and the customer will be using Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI). Through data onboarding and sizing, it is determined that over 200 discrete KPIs will be tracked by ITSI and 1TB of data per day by ES. What topology ensures a scalable and performant deployment?

A.

Two search heads, one for ITSI and one for ES.

B.

Two search head clusters, one for ITSI and one for ES.

C.

One search head cluster with both ITSI and ES installed.

D.

One search head with both ITSI and ES installed.

Full Access
Question # 17

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

A.

Check serverclass.conf of the deployment server.

B.

Check deploymentclient.conf of the deployment client.

C.

Check the content of SPLUNK_HOME/etc/apps of the deployment server.

D.

Search for relevant events in splunkd.log of the deployment server.

Full Access
Question # 18

Which of the following is a valid use case that a search head cluster addresses?

A.

Provide redundancy in the event a search peer fails.

B.

Search affinity.

C.

Knowledge Object replication.

D.

Increased Search Factor (SF).

Full Access
Question # 19

What is the logical first step when starting a deployment plan?

A.

Inventory the currently deployed logging infrastructure.

B.

Determine what apps and use cases will be implemented.

C.

Gather statistics on the expected adoption of Splunk for sizing.

D.

Collect the initial requirements for the deployment from all stakeholders.

Full Access
Question # 20

Users who receive a link to a search are receiving an "Unknown sid" error message when they open the link.

Why is this happening?

A.

The users have insufficient permissions.

B.

An add-on needs to be updated.

C.

The search job has expired.

D.

One or more indexers are down.

Full Access
Question # 21

(It is possible to lose UI edit functionality after manually editing which of the following files in the deployment server?)

A.

serverclass.conf

B.

deploymentclient.conf

C.

inputs.conf

D.

deploymentserver.conf

Full Access
Question # 22

(What are the possible values for the mode attribute in server.conf for a Splunk server in the [clustering] stanza?)

A.

[clustering] mode = peer

B.

[clustering] mode = searchhead

C.

[clustering] mode = deployer

D.

[clustering] mode = manager

Full Access
Question # 23

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

A.

Auto

B.

None

C.

True

D.

False

Full Access
Question # 24

Which of the following use cases would be made possible by multi-site clustering? (select all that apply)

A.

Use blockchain technology to audit search activity from geographically dispersed data centers.

B.

Enable a forwarder to send data to multiple indexers.

C.

Greatly reduce WAN traffic by preferentially searching assigned site (search affinity).

D.

Seamlessly route searches to a redundant site in case of a site failure.

Full Access
Question # 25

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

A.

Input

B.

Search

C.

Parsing

D.

Indexing

Full Access
Question # 26

The master node distributes configuration bundles to peer nodes. Which directory peer nodes receive the bundles?

A.

apps

B.

deployment-apps

C.

slave-apps

D.

master-apps

Full Access
Question # 27

To improve Splunk performance, parallelIngestionPipelines setting can be adjusted on which of the following components in the Splunk architecture? (Select all that apply.)

A.

Indexers

B.

Forwarders

C.

Search head

D.

Cluster master

Full Access
Question # 28

Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

A.

site_mappings

B.

available_sites

C.

site_search_factor

D.

site_replication_factor

Full Access
Question # 29

When Splunk indexes data in a non-clustered environment, what kind of files does it create by default?

A.

Index and .tsidx files.

B.

Rawdata and index files.

C.

Compressed and .tsidx files.

D.

Compressed and meta data files.

Full Access
Question # 30

Which of the following is true regarding Splunk Enterprise's performance? (Select all that apply.)

A.

Adding search peers increases the maximum size of search results.

B.

Adding RAM to existing search heads provides additional search capacity.

C.

Adding search peers increases the search throughput as the search load increases.

D.

Adding search heads provides additional CPU cores to run more concurrent searches.

Full Access
Question # 31

(Which Splunk component allows viewing of the LISPY to assist in debugging Splunk searches?)

A.

dbinspect

B.

Monitoring Console

C.

walklex

D.

Search Job Inspector

Full Access
Question # 32

When troubleshooting a situation where some files within a directory are not being indexed, the ignored files are discovered to have long headers. What is the first thing that should be added to inputs.conf?

A.

Decrease the value of initCrcLength.

B.

Add a crcSalt= attribute.

C.

Increase the value of initCrcLength.

D.

Add a crcSalt= attribute.

Full Access
Question # 33

When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

A.

1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.

B.

1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.

C.

1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.

D.

1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Full Access
Question # 34

Which of the following options in limits, conf may provide performance benefits at the forwarding tier?

A.

Enable the indexed_realtime_use_by_default attribute.

B.

Increase the maxKBps attribute.

C.

Increase the parallellngestionPipelines attribute.

D.

Increase the max_searches per_cpu attribute.

Full Access
Question # 35

A single-site indexer cluster has a replication factor of 3, and a search factor of 2. What is true about this cluster?

A.

The cluster will ensure there are at least two copies of each bucket, and at least three copies of searchable metadata.

B.

The cluster will ensure there are at most three copies of each bucket, and at most two copies of searchable metadata.

C.

The cluster will ensure only two search heads are allowed to access the bucket at the same time.

D.

The cluster will ensure there are at least three copies of each bucket, and at least two copies of searchable metadata.

Full Access
Question # 36

To activate replication for an index in an indexer cluster, what attribute must be configured in indexes.conf on all peer nodes?

A.

repFactor = 0

B.

replicate = 0

C.

repFactor = auto

D.

replicate = auto

Full Access
Question # 37

What is the minimum reference server specification for a Splunk indexer?

A.

12 CPU cores, 12GB RAM, 800 IOPS

B.

16 CPU cores, 16GB RAM, 800 IOPS

C.

24 CPU cores, 16GB RAM, 1200 IOPS

D.

28 CPU cores, 32GB RAM, 1200 IOPS

Full Access
Question # 38

A customer is migrating 500 Universal Forwarders from an old deployment server to a new deployment server, with a different DNS name. The new deployment server is configured and running.

The old deployment server deployed an app containing an updated deploymentclient.conf file to all forwarders, pointing them to the new deployment server. The app was successfully deployed to all 500 forwarders.

Why would all of the forwarders still be phoning home to the old deployment server?

A.

There is a version mismatch between the forwarders and the new deployment server.

B.

The new deployment server is not accepting connections from the forwarders.

C.

The forwarders are configured to use the old deployment server in $SPLUNK_HOME/etc/system/local.

D.

The pass4SymmKey is the same on the new deployment server and the forwarders.

Full Access
Question # 39

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

A.

audit.log

B.

metrics.log

C.

disk_objects.log

D.

resource_usage.log

Full Access
Question # 40

Which of the following are possible causes of a crash in Splunk? (select all that apply)

A.

Incorrect ulimit settings.

B.

Insufficient disk IOPS.

C.

Insufficient memory.

D.

Running out of disk space.

Full Access
Question # 41

(On which Splunk components does the Splunk App for Enterprise Security place the most load?)

A.

Indexers

B.

Cluster Managers

C.

Search Heads

D.

Heavy Forwarders

Full Access
Question # 42

Several critical searches that were functioning correctly yesterday are not finding a lookup table today. Which log file would be the best place to start troubleshooting?

A.

btool.log

B.

web_access.log

C.

health.log

D.

configuration_change.log

Full Access
Question # 43

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

A.

adhoc_searchhead = true (on all members)

B.

adhoc_searchhead = true (on the current captain)

C.

captain_is_adhoc_searchhead = true (on all members)

D.

captain_is_adhoc_searchhead = true (on the current captain)

Full Access
Question # 44

(Which of the following data sources are used for the Monitoring Console dashboards?)

A.

REST API calls

B.

Splunk btool

C.

Splunk diag

D.

metrics.log

Full Access
Question # 45

What log file would you search to verify if you suspect there is a problem interpreting a regular expression in a monitor stanza?

A.

btool.log

B.

metrics.log

C.

splunkd.log

D.

tailing_processor.log

Full Access
Question # 46

(Which command is used to initially add a search head to a single-site indexer cluster?)

A.

splunk edit cluster-config -mode searchhead -manager_uri https://10.0.0.1:8089 -secret changeme

B.

splunk edit cluster-config -mode peer -manager_uri https://10.0.0.1:8089 -secret changeme

C.

splunk add cluster-manager -manager_uri https://10.0.0.1:8089 -secret changeme

D.

splunk add cluster-manager -mode searchhead -manager_uri https://10.0.0.1:8089 -secret changeme

Full Access
Question # 47

Which of the following describe migration from single-site to multisite index replication?

A.

A master node is required at each site.

B.

Multisite policies apply to new data only.

C.

Single-site buckets instantly receive the multisite policies.

D.

Multisite total values should not exceed any single-site factors.

Full Access
Question # 48

When should multiple search pipelines be enabled?

A.

Only if disk IOPS is at 800 or better.

B.

Only if there are fewer than twelve concurrent users.

C.

Only if running Splunk Enterprise version 6.6 or later.

D.

Only if CPU and memory resources are significantly under-utilized.

Full Access
Question # 49

(How is the search log accessed for a completed search job?)

A.

Search for: index=_internal sourcetype=search.

B.

Select Settings > Searches, reports, and alerts, then from the Actions column, select View Search Log.

C.

From the Activity menu, select Show Search Log.

D.

From the Job menu, select Inspect Job, then click the search.log link.

Full Access
Question # 50

(If the maxDataSize attribute is set to auto_high_volume in indexes.conf on a 64-bit operating system, what is the maximum hot bucket size?)

A.

4 GB

B.

750 MB

C.

10 GB

D.

1 GB

Full Access
Question # 51

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

A.

Data encryption between Splunk Web and splunkd.

B.

Certificate authentication between forwarders and indexers.

C.

Certificate authentication between Splunk Web and search head.

D.

Data encryption for distributed search between search heads and indexers.

Full Access
Question # 52

What information is written to the __introspection log file?

A.

File monitor input configurations.

B.

File monitor checkpoint offset.

C.

User activities and knowledge objects.

D.

KV store performance.

Full Access
Question # 53

When should a Universal Forwarder be used instead of a Heavy Forwarder?

A.

When most of the data requires masking.

B.

When there is a high-velocity data source.

C.

When data comes directly from a database server.

D.

When a modular input is needed.

Full Access
Question # 54

Which of the following is a way to exclude search artifacts when creating a diag?

A.

SPLUNK_HOME/bin/splunk diag --exclude

B.

SPLUNK_HOME/bin/splunk diag --debug --refresh

C.

SPLUNK_HOME/bin/splunk diag --disable=dispatch

D.

SPLUNK_HOME/bin/splunk diag --filter-searchstrings

Full Access
Question # 55

(Which deployer push mode should be used when pushing built-in apps?)

A.

merge_to_default

B.

local_only

C.

full

D.

default only

Full Access
Question # 56

Which of the following is a best practice to maximize indexing performance?

A.

Use automatic source typing.

B.

Use the Splunk default settings.

C.

Not use pre-trained source types.

D.

Minimize configuration generality.

Full Access
Question # 57

When converting from a single-site to a multi-site cluster, what happens to existing single-site clustered buckets?

A.

They will continue to replicate within the origin site and age out based on existing policies.

B.

They will maintain replication as required according to the single-site policies, but never age out.

C.

They will be replicated across all peers in the multi-site cluster and age out based on existing policies.

D.

They will stop replicating within the single-site and remain on the indexer they reside on and age out according to existing policies.

Full Access
Question # 58

Stakeholders have identified high availability for searchable data as their top priority. Which of the following best addresses this requirement?

A.

Increasing the search factor in the cluster.

B.

Increasing the replication factor in the cluster.

C.

Increasing the number of search heads in the cluster.

D.

Increasing the number of CPUs on the indexers in the cluster.

Full Access
Question # 59

When using ingest-based licensing, what Splunk role requires the license manager to scale?

A.

Search peers

B.

Search heads

C.

There are no roles that require the license manager to scale

D.

Deployment clients

Full Access
Question # 60

Which of the following are client filters available in serverclass.conf? (Select all that apply.)

A.

DNS name.

B.

IP address.

C.

Splunk server role.

D.

Platform (machine type).

Full Access