Down To Date Splunk Enterprise Certified Architect SPLK-2002 Questions Pool

NEW QUESTION 1
When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

• A. Auto
• B. None
• C. True
• D. False

Answer: C

NEW QUESTION 2
Which of the following is a best practice to maximize indexing performance?

• A. Use automatic sourcetyping.
• B. Use the Splunk default settings.
• C. Not use pre-trained source types.
• D. Minimize configuration generality.

Answer: D

NEW QUESTION 3
What is a Splunk Job? (Select all that apply.)

• A. A user-defined Splunk capability.
• B. Searches that are subjected to some usage quota.
• C. A search process kicked off via a report or an alert.
• D. A child OS process manifested from the splunkd process.

Answer: A

NEW QUESTION 4
Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

• A. Identify number of scheduled or real-time searches.
• B. Validate if this Technical Add-On enables event data for a data model.
• C. Identify the maximum number of forwarders Technical Add-On can support.
• D. Verify if Technical Add-On needs to be installed onto both a search head or indexer.

Answer: AC

NEW QUESTION 5
Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)

• A. Free licenses do not support clustering.
• B. Replicated data does not count against licensing.
• C. Each cluster member requires its own clustering license.
• D. Cluster members must share the same license pool and license master.

Answer: BD

NEW QUESTION 6
Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

• A. Use TCP syslog.
• B. Configure UDP inputs on each Splunk indexer to receive data directly.
• C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.
• D. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

Answer: CD

NEW QUESTION 7
Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

• A. Replace the indexer storage to solid state drives (SSD).
• B. Add more search heads and redistribute users based on the search type.
• C. Look for slow searches and reschedule them to run during an off-peak time.
• D. Add more search peers and make sure forwarders distribute data evenly across all indexers.

Answer: C

NEW QUESTION 8
What is the algorithm used to determine captaincy in a Splunk search head cluster?

• A. Raft distributed consensus.
• B. Rapt distributed consensus.
• C. Rift distributed consensus.
• D. Round-robin distribution consensus.

Answer: A

NEW QUESTION 9
How does IT Service Intelligence (ITSI) impact the planning of a Splunk deployment?

• A. ITSI requires a dedicated deployment server.
• B. The amount of users using ITSI will not impact performance.
• C. ITSI in a Splunk deployment does not require additional hardware resources.
• D. Depending on the Key Performance Indicators that are being tracked, additional infrastructure may be needed.

Answer: D

NEW QUESTION 10
Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

• A. Install Enterprise Security on the deployer.
• B. Install Enterprise Security on a staging instance.
• C. Copy the Enterprise Security configurations to the deployer.
• D. Use the deployer to deploy Enterprise Security to the cluster members.

Answer: AD

NEW QUESTION 11
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

• A. Use case checklist.
• B. Install Splunk apps.
• C. Inventory data sources.
• D. Review network topology.

Answer: D

NEW QUESTION 12
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV
store will form?

• A. 25
• B. 50
• C. 100
• D. Unlimited

Answer: D

NEW QUESTION 13
A new Splunk customer is using syslog to collect data from their network devices on port 514. What is the best practice for ingesting this data into Splunk?

• A. Configure syslog to send the data to multiple Splunk indexers.
• B. Use a Splunk indexer to collect a network input on port 514 directly.
• C. Use a Splunk forwarder to collect the input on port 514 and forward the data.
• D. Configure syslog to write logs and use a Splunk forwarder to collect the logs.

Answer: C

NEW QUESTION 14
Splunk configuration parameter settings can differ between multiple .conf files of the same name contained within different apps. Which of the following directories has the highest precedence?

• A. System local directory.
• B. System default directory.
• C. App local directories, in ASCII order.
• D. App default directories, in ASCII order.

Answer: A

NEW QUESTION 15
Which of the following are true statements about Splunk indexer clustering?

• A. All peer nodes must run exactly the same Splunk version.
• B. The master node must run the same or a later Splunk version than search heads.
• C. The peer nodes must run the same or a later Splunk version than the master node.
• D. The search head must run the same or a later Splunk version than the peer nodes.

Answer: B

NEW QUESTION 16
Which command will permanently decommission a peer node operating in an
indexer cluster?

• A. splunk stop -f
• B. splunk offline -f
• C. splunk offline --enforce-counts
• D. splunk decommission --enforce counts

Answer: C

NEW QUESTION 17
To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

• A. Rolling restart completes.
• B. Master node rejoins the cluster.
• C. Captain joins or rejoins cluster.
• D. A peer node joins or rejoins the cluster.

Answer: ABD

NEW QUESTION 18
Of the following types of files within an index bucket, which file type may consume the most disk?

• A. Rawdata
• B. Bloom filter
• C. Metadata (.data)
• D. Inverted index (.tsidx)

Answer: B

NEW QUESTION 19
Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

• A. Data encryption between Splunk Web and splunkd.
• B. Certificate authentication between forwarders and indexers.
• C. Certificate authentication between Splunk Web and search head.
• D. Data encryption for distributed search between search heads and indexers.

Answer: B

NEW QUESTION 20
In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files.
What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

• A. Total daily indexing volume, number of peer nodes, and number of accelerated searches.
• B. Total daily indexing volume, number of peer nodes, replication factor, and search factor.
• C. Total daily indexing volume, replication factor, search factor, and number of search heads.
• D. Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

Answer: D

NEW QUESTION 21
What does setting site=site0 on all Search Head Cluster members do in a multi-site indexer cluster?

• A. Disables search site affinity.
• B. Sets all members to dynamic captaincy.
• C. Enables multisite search artifact replication.
• D. Enables automatic search site affinity discovery.

Answer: A

NEW QUESTION 22
When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

• A. replication_factor = 2search_factor = 2
• B. replication_factor = 2 searchfactor = 3
• C. replication_factor = 3search_factor = 2
• D. replication_factor = 3 searchfactor = 3

Answer: A

NEW QUESTION 23
......