Splunk Enterprise Certified Architect (SPLK-2002) Free Practice Test

Question 1

(Where can files be placed in a configuration bundle on a search peer that will persist after a new configuration bundle has been deployed?)

A. In the $SPLUNK_HOME/etc/slave-apps//local folder.

B. In the $SPLUNK_HOME/etc/slave-apps/_cluster/local folder.

C. Nowhere; the entire configuration bundle is overwritten with each push.

D. In the $SPLUNK_HOME/etc/master-apps//local folder.

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

In a clustered environment, where should the Splunk Monitoring Console be deployed?

A. On a separate server with access to all non-forwarder Splunk servers.

B. On a separate server with access to the Search Heads and Indexers only.

C. On the Cluster Manager to ensure proper access to the indexer cluster.

D. On each instance running in standalone mode.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

A Splunk instance has crashed, but no crash log was generated. There is an attempt to determine what user activity caused the crash by running the following search:

What does searching for closed_txn=0 do in this search?

A. Filters results to situations where Splunk was started, but not stopped.

B. Filters results to situations where Splunk was started and stopped multiple times.

C. Filters results to situations where Splunk was started and stopped once.

D. Filters results to situations where Splunk was stopped and then immediately restarted.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

Users are asking the Splunk administrator to thaw recently-frozen buckets very frequently. What could the Splunk administrator do to reduce the need to thaw buckets?

A. Change coldToFrozenDir to a different location.

B. Change maxTotalDataSizeMB to a smaller value.

C. Change f rozenTimePeriodlnSecs to a larger value.

D. Change maxHotSpanSecs to a larger value.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

A. Use TCP syslog.

B. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.

D. Configure UDP inputs on each Splunk indexer to receive data directly.

Correct Answer: A,B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

What is the algorithm used to determine captaincy in a Splunk search head cluster?

A. Rift distributed consensus.

B. Rapt distributed consensus.

C. Raft distributed consensus.

D. Round-robin distribution consensus.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

When troubleshooting a situation where some files within a directory are not being indexed, the ignored files are discovered to have long headers. What is the first thing that should be added to inputs.conf?

A. Add a crcSalt=<SOURCE> attribute.

B. Increase the value of initCrcLength.

C. Decrease the value of initCrcLength.

D. Add a crcSalt=<string> attribute.

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

(It is possible to lose UI edit functionality after manually editing which of the following files in the deployment server?)

A. deploymentserver.conf

B. deploymentclient.conf

C. inputs.conf

D. serverclass.conf

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

Which command should be run to re-sync a stale KV Store member in a search head cluster?

A. splunk clean eventdata -local

B. splunk resync kvstore -local

C. splunk clean kvstore -local

D. splunk resync kvstore -remote

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

What is the expected minimum amount of storage required for data across an indexer cluster with the following input and parameters?
* Raw data = 15 GB per day
* Index files = 35 GB per day
* Replication Factor (RF) = 2
* Search Factor (SF) = 2

A. 85 GB per day

B. 65 GB per day

C. 100 GB per day

D. 50 GB per day

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 11

Which of the following strongly impacts storage sizing requirements for Enterprise Security?

A. The number of scheduled (correlation) searches.

B. The number of Data Models accelerated.

C. The number of Splunk users configured.

D. The number of source types used in the environment.

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

Which Splunk server role regulates the functioning of indexer cluster?

A. Master Node

B. Indexer

C. Deployer

D. Monitoring Console

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 13

(The performance of a specific search is performing poorly. The search must run over All Time and is expected to have very few results. Analysis shows that the search accesses a very large number of buckets in a large index. What step would most significantly improve the performance of this search?)

A. Set indexed_realtime_use_by_default = true in limits.conf.

B. Increase the number of indexing pipelines.

C. Change this to a real-time search using an All Time window.

D. Increase the disk I/O hardware performance.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 14

Which two sections can be expanded using the Search Job Inspector?

A. Execution costs.

B. Saved search history.

C. Search job properties.

D. Optimization suggestions.

Correct Answer: C,D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Splunk Enterprise Certified Architect (SPLK-2002) Free Practice Test