New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Splunk SPLK-2002 Splunk Enterprise Certified Architect Exam Practice Test

Demo: 48 questions
Total 160 questions

Splunk Enterprise Certified Architect Questions and Answers

Question 1

A search head cluster with a KV store collection can be updated from where in the KV store collection?

Options:

A.

The search head cluster captain.

B.

The KV store primary search head.

C.

Any search head except the captain.

D.

Any search head in the cluster.

Question 2

Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?

Options:

A.

btool

B.

DiagGen

C.

SPL Clinic

D.

Monitoring Console

Question 3

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

Options:

A.

Replace the indexer storage to solid state drives (SSD).

B.

Add more search heads and redistribute users based on the search type.

C.

Look for slow searches and reschedule them to run during an off-peak time.

D.

Add more search peers and make sure forwarders distribute data evenly across all indexers.

Question 4

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

Options:

A.

25

B.

50

C.

100

D.

Unlimited

Question 5

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

Options:

A.

Data encryption between Splunk Web and splunkd.

B.

Certificate authentication between forwarders and indexers.

C.

Certificate authentication between Splunk Web and search head.

D.

Data encryption for distributed search between search heads and indexers.

Question 6

A customer is migrating 500 Universal Forwarders from an old deployment server to a new deployment server, with a different DNS name. The new deployment server is configured and running.

The old deployment server deployed an app containing an updated deploymentclient.conf file to all forwarders, pointing them to the new deployment server. The app was successfully deployed to all 500 forwarders.

Why would all of the forwarders still be phoning home to the old deployment server?

Options:

A.

There is a version mismatch between the forwarders and the new deployment server.

B.

The new deployment server is not accepting connections from the forwarders.

C.

The forwarders are configured to use the old deployment server in $SPLUNK_HOME/etc/system/local.

D.

The pass4SymmKey is the same on the new deployment server and the forwarders.

Question 7

Which of the following statements about integrating with third-party systems is true? (Select all that apply.)

Options:

A.

A Hadoop application can search data in Splunk.

B.

Splunk can search data in the Hadoop File System (HDFS).

C.

You can use Splunk alerts to provision actions on a third-party system.

D.

You can forward data from Splunk forwarder to a third-party system without indexing it first.

Question 8

Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

Options:

A.

site_mappings

B.

available_sites

C.

site_search_factor

D.

site_replication_factor

Question 9

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

Options:

A.

Create a job server on the cluster.

B.

Add another search head to the cluster.

C.

server.conf captain_is_adhoc_searchhead = true.

D.

Change limits.conf value for max_searches_per_cpu to a higher value.

Question 10

metrics. log is stored in which index?

Options:

A.

main

B.

_telemetry

C.

_internal

D.

_introspection

Question 11

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

Options:

A.

adhoc_searchhead = true (on all members)

B.

adhoc_searchhead = true (on the current captain)

C.

captain_is_adhoc_searchhead = true (on all members)

D.

captain_is_adhoc_searchhead = true (on the current captain)

Question 12

What types of files exist in a bucket within a clustered index? (select all that apply)

Options:

A.

Inside a replicated bucket, there is only rawdata.

B.

Inside a searchable bucket, there is only tsidx.

C.

Inside a searchable bucket, there is tsidx and rawdata.

D.

Inside a replicated bucket, there is both tsidx and rawdata.

Question 13

To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

Options:

A.

Rolling restart completes.

B.

Master node rejoins the cluster.

C.

Captain joins or rejoins cluster.

D.

A peer node joins or rejoins the cluster.

Question 14

What is the minimum reference server specification for a Splunk indexer?

Options:

A.

12 CPU cores, 12GB RAM, 800 IOPS

B.

16 CPU cores, 16GB RAM, 800 IOPS

C.

24 CPU cores, 16GB RAM, 1200 IOPS

D.

28 CPU cores, 32GB RAM, 1200 IOPS

Question 15

Which of the following options in limits, conf may provide performance benefits at the forwarding tier?

Options:

A.

Enable the indexed_realtime_use_by_default attribute.

B.

Increase the maxKBps attribute.

C.

Increase the parallellngestionPipelines attribute.

D.

Increase the max_searches per_cpu attribute.

Question 16

Which of the following items are important sizing parameters when architecting a Splunk environment? (select all that apply)

Options:

A.

Number of concurrent users.

B.

Volume of incoming data.

C.

Existence of premium apps.

D.

Number of indexes.

Question 17

Following Splunk recommendations, where could the Monitoring Console (MC) be installed in a distributed deployment with an indexer cluster, a search head cluster, and 1000 forwarders?

Options:

A.

On a search peer in the cluster.

B.

On the deployment server.

C.

On the search head cluster deployer.

D.

On a search head in the cluster.

Question 18

If .delta replication fails during knowledge bundle replication, what is the fall-back method for Splunk?

Options:

A.

.Restart splunkd.

B.

.delta replication.

C.

.bundle replication.

D.

Restart mongod.

Question 19

What information is needed about the current environment before deploying Splunk? (select all that apply)

Options:

A.

List of vendors for network devices.

B.

Overall goals for the deployment.

C.

Key users.

D.

Data sources.

Question 20

Users are asking the Splunk administrator to thaw recently-frozen buckets very frequently. What could the Splunk administrator do to reduce the need to thaw buckets?

Options:

A.

Change f rozenTimePeriodlnSecs to a larger value.

B.

Change maxTotalDataSizeMB to a smaller value.

C.

Change maxHotSpanSecs to a larger value.

D.

Change coldToFrozenDir to a different location.

Question 21

To activate replication for an index in an indexer cluster, what attribute must be configured in indexes.conf on all peer nodes?

Options:

A.

repFactor = 0

B.

replicate = 0

C.

repFactor = auto

D.

replicate = auto

Question 22

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

Options:

A.

Input

B.

Search

C.

Parsing

D.

Indexing

Question 23

Which of the following is a problem that could be investigated using the Search Job Inspector?

Options:

A.

Error messages are appearing underneath the search bar in Splunk Web.

B.

Dashboard panels are showing "Waiting for queued job to start" on page load.

C.

Different users are seeing different extracted fields from the same search.

D.

Events are not being sorted in reverse chronological order.

Question 24

Which of the following is a good practice for a search head cluster deployer?

Options:

A.

The deployer only distributes configurations to search head cluster members when they “phone home”.

B.

The deployer must be used to distribute non-replicable configurations to search head cluster members.

C.

The deployer must distribute configurations to search head cluster members to be valid configurations.

D.

The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle.

Question 25

An indexer cluster is being designed with the following characteristics:

• 10 search peers

• Replication Factor (RF): 4

• Search Factor (SF): 3

• No SmartStore usage

How many search peers can fail before data becomes unsearchable?

Options:

A.

Zero peers can fail.

B.

One peer can fail.

C.

Three peers can fail.

D.

Four peers can fail.

Question 26

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

Options:

A.

High performance SAN should never be used.

B.

Enable NFS for storing hot and warm buckets.

C.

The recommended RAID setup is RAID 10 (1 + 0).

D.

Virtualized environments are usually preferred over bare metal for Splunk indexers.

Question 27

Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

Options:

A.

Use case checklist.

B.

Install Splunk apps.

C.

Inventory data sources.

D.

Review network topology.

Question 28

What is needed to ensure that high-velocity sources will not have forwarding delays to the indexers?

Options:

A.

Increase the default value of sessionTimeout in server, conf.

B.

Increase the default limit for maxKBps in limits.conf.

C.

Decrease the value of forceTimebasedAutoLB in outputs. conf.

D.

Decrease the default value of phoneHomelntervallnSecs in deploymentclient .conf.

Question 29

Which of the following would be the least helpful in troubleshooting contents of Splunk configuration files?

Options:

A.

crash logs

B.

search.log

C.

btool output

D.

diagnostic logs

Question 30

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

Options:

A.

SPLUNK_HOME/var/lib/searchpeers

B.

SPLUNK_HOME/var/log/searchpeers

C.

SPLUNK_HOME/var/run/searchpeers

D.

SPLUNK_HOME/var/spool/searchpeers

Question 31

A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?

Options:

A.

Two indexers not in a cluster, assuming users run many long searches.

B.

Three indexers not in a cluster, assuming a long data retention period.

C.

Two indexers clustered, assuming high availability is the greatest priority.

D.

Two indexers clustered, assuming a high volume of saved/scheduled searches.

Question 32

Which command will permanently decommission a peer node operating in an indexer cluster?

Options:

A.

splunk stop -f

B.

splunk offline -f

C.

splunk offline --enforce-counts

D.

splunk decommission --enforce counts

Question 33

Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

Options:

A.

Identify number of scheduled or real-time searches.

B.

Validate if this Technical Add-On enables event data for a data model.

C.

Identify the maximum number of forwarders Technical Add-On can support.

D.

Verify if Technical Add-On needs to be installed onto both a search head or indexer.

Question 34

Users who receive a link to a search are receiving an "Unknown sid" error message when they open the link.

Why is this happening?

Options:

A.

The users have insufficient permissions.

B.

An add-on needs to be updated.

C.

The search job has expired.

D.

One or more indexers are down.

Question 35

Which CLI command converts a Splunk instance to a license slave?

Options:

A.

splunk add licenses

B.

splunk list licenser-slaves

C.

splunk edit licenser-localslave

D.

splunk list licenser-localslave

Question 36

Which command should be run to re-sync a stale KV Store member in a search head cluster?

Options:

A.

splunk clean kvstore -local

B.

splunk resync kvstore -remote

C.

splunk resync kvstore -local

D.

splunk clean eventdata -local

Question 37

In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

Options:

A.

Use the Monitoring Console.

B.

Use the Search Head Clustering settings menu from Splunk Web on any member.

C.

Run the splunk transfer shcluster-captain command from the current captain.

D.

Run the splunk transfer shcluster-captain command from the member you would like to become the captain.

Question 38

When using ingest-based licensing, what Splunk role requires the license manager to scale?

Options:

A.

Search peers

B.

Search heads

C.

There are no roles that require the license manager to scale

D.

Deployment clients

Question 39

Where in the Job Inspector can details be found to help determine where performance is affected?

Options:

A.

Search Job Properties > runDuration

B.

Search Job Properties > runtime

C.

Job Details Dashboard > Total Events Matched

D.

Execution Costs > Components

Question 40

Which instance can not share functionality with the deployer?

Options:

A.

Search head cluster member

B.

License master

C.

Master node

D.

Monitoring Console (MC)

Question 41

Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

Options:

A.

Install Enterprise Security on the deployer.

B.

Install Enterprise Security on a staging instance.

C.

Copy the Enterprise Security configurations to the deployer.

D.

Use the deployer to deploy Enterprise Security to the cluster members.

Question 42

On search head cluster members, where in $splunk_home does the Splunk Deployer deploy app content by default?

Options:

A.

etc/apps/

B.

etc/slave-apps/

C.

etc/shcluster/

D.

etc/deploy-apps/

Question 43

When designing the number and size of indexes, which of the following considerations should be applied?

Options:

A.

Expected daily ingest volume, access controls, number of concurrent users

B.

Number of installed apps, expected daily ingest volume, data retention time policies

C.

Data retention time policies, number of installed apps, access controls

D.

Expected daily ingest volumes, data retention time policies, access controls

Question 44

A Splunk deployment is being architected and the customer will be using Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI). Through data onboarding and sizing, it is determined that over 200 discrete KPIs will be tracked by ITSI and 1TB of data per day by ES. What topology ensures a scalable and performant deployment?

Options:

A.

Two search heads, one for ITSI and one for ES.

B.

Two search head clusters, one for ITSI and one for ES.

C.

One search head cluster with both ITSI and ES installed.

D.

One search head with both ITSI and ES installed.

Question 45

When planning a search head cluster, which of the following is true?

Options:

A.

All search heads must use the same operating system.

B.

All search heads must be members of the cluster (no standalone search heads).

C.

The search head captain must be assigned to the largest search head in the cluster.

D.

All indexers must belong to the underlying indexer cluster (no standalone indexers).

Question 46

The master node distributes configuration bundles to peer nodes. Which directory peer nodes receive the bundles?

Options:

A.

apps

B.

deployment-apps

C.

slave-apps

D.

master-apps

Question 47

What is the best method for sizing or scaling a search head cluster?

Options:

A.

Estimate the maximum daily ingest volume in gigabytes and divide by the number of CPU cores per search head.

B.

Estimate the total number of searches per day and divide by the number of CPU cores available on the search heads.

C.

Divide the number of indexers by three to achieve the correct number of search heads.

D.

Estimate the maximum concurrent number of searches and divide by the number of CPU cores per search head.

Question 48

New data has been added to a monitor input file. However, searches only show older data.

Which splunkd. log channel would help troubleshoot this issue?

Options:

A.

Modularlnputs

B.

TailingProcessor

C.

ChunkedLBProcessor

D.

ArchiveProcessor

Demo: 48 questions
Total 160 questions