Download Splunk SPLK-2002 Sample Question Online

NEW QUESTION 1
What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

• A. Distributes apps to SHC members.
• B. Bootstraps a clean Splunk install for a SHC.
• C. Distributes non-search related and manual configuration file changes.
• D. Distributes runtime knowledge object changes made by users across the SHC.

Answer: A

NEW QUESTION 2
At which default interval does metrics.log generate a periodic report regarding license utilization?

• A. 10 seconds
• B. 30 seconds
• C. 60 seconds
• D. 300 seconds

Answer: B

NEW QUESTION 3
Configurations from the deployer are merged into which location on the search head cluster member?

• A. SPLUNK_HOME/etc/system/local
• B. SPLUNK_HOME/etc/apps/APP_HOME/local
• C. SPLUNK_HOME/etc/apps/search/default
• D. SPLUNK_HOME/etc/apps/APP_HOME/default

Answer: A

NEW QUESTION 4
To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

• A. adhoc_searchhead = true (on all members)
• B. adhoc_searchhead = true (on the current captain)
• C. captain_is_adhoc_searchhead = true (on all members)
• D. captain_is_adhoc_searchhead = true (on the current captain)

Answer: D

NEW QUESTION 5
A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?

• A. Two indexers not in a cluster, assuming users run many long searches.
• B. Three indexers not in a cluster, assuming a long data retention period.
• C. Two indexers clustered, assuming high availability is the greatest priority.
• D. Two indexers clustered, assuming a high volume of saved/scheduled searches.

Answer: D

NEW QUESTION 6
A new Splunk customer is using syslog to collect data from their network devices on port 514. What is the best practice for ingesting this data into Splunk?

• A. Configure syslog to send the data to multiple Splunk indexers.
• B. Use a Splunk indexer to collect a network input on port 514 directly.
• C. Use a Splunk forwarder to collect the input on port 514 and forward the data.
• D. Configure syslog to write logs and use a Splunk forwarder to collect the logs.

Answer: C

NEW QUESTION 7
A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department. Which of the following items might be the cause for this issue?

• A. The search head may have different configurations than the indexers.
• B. The data inputs are not properly configured across all the forwarders.
• C. The indexers may have different configurations than the heavy forwarders.
• D. The forwarders managed by the other department are an older version than the rest.

Answer: D

NEW QUESTION 8
A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf:
[clustering] mode = master
replication_factor = 2
pass4SymmKey = password123
Which of the following statements
describe this Splunk instance?
(Select all that apply.)

• A. This is a multi-site cluster.
• B. This cluster's search factor is 2.
• C. This Splunk instance needs to be restarted.
• D. This instance is missing the master_uri attribute.

Answer: AC

NEW QUESTION 9
Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

• A. High performance SAN should never be used.
• B. Enable NFS for storing hot and warm buckets.
• C. The recommended RAID setup is RAID 10 (1 + 0).
• D. Virtualized environments are usually preferred over bare metal for Splunk indexers.

Answer: C

NEW QUESTION 10
When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

• A. replication_factor = 2search_factor = 2
• B. replication_factor = 2 searchfactor = 3
• C. replication_factor = 3search_factor = 2
• D. replication_factor = 3 searchfactor = 3

Answer: A

NEW QUESTION 11
Which of the following describe migration from single-site to multisite index replication?

• A. A master node is required at each site.
• B. Multisite policies apply to new data only.
• C. Single-site buckets instantly receive the multisite policies.
• D. Multisite total values should not exceed any single-site factors.

Answer: D

NEW QUESTION 12
What log file would you search to verify if you suspect there is a problem interpreting a regular expression in a monitor stanza?

• A. btool.log
• B. metrics.log
• C. splunkd.log
• D. tailing_processor.log

Answer: C

NEW QUESTION 13
A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

• A. Create a job server on the cluster.
• B. Add another search head to the cluster.
• C. server.conf captain_is_adhoc_searchhead = true.
• D. Change limits.conf value for max_searches_per_cpu to a higher value.

Answer: D

NEW QUESTION 14
Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)

• A. OS settings.
• B. Internal logs.
• C. Customer data.
• D. Configuration files.

Answer: BD

NEW QUESTION 15
When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

• A. Index and .tsidx files.
• B. Rawdata and index files.
• C. Compressed and .tsidx files.
• D. Compressed and meta data files.

Answer: B

NEW QUESTION 16
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV
store will form?

• A. 25
• B. 50
• C. 100
• D. Unlimited

Answer: D

NEW QUESTION 17
Which of the following is a way to exclude search artifacts when creating a diag?

• A. SPLUNK_HOME/bin/splunk diag --exclude
• B. SPLUNK_HOME/bin/splunk diag --debug --refresh
• C. SPLUNK_HOME/bin/splunk diag --disable=dispatch
• D. SPLUNK_HOME/bin/splunk diag --filter-searchstrings

Answer: A

NEW QUESTION 18
Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

• A. Master
• B. Captain
• C. Deployer
• D. Deployment server

Answer: B

NEW QUESTION 19
Indexing is slow and real-time search results are delayed in a Splunk environment with two indexers and one search head. There is ample CPU and memory available on the indexers. Which of the following is most likely to improve indexing performance?

• A. Increase the maximum number of hot buckets in indexes.conf
• B. Increase the number of parallel ingestion pipelines in server.conf
• C. Decrease the maximum size of the search pipelines in limits.conf
• D. Decrease the maximum concurrent scheduled searches in limits.conf

Answer: D

NEW QUESTION 20
In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

• A. site_search_factor = origin:2, site1:2, total:4
• B. site_search_factor = origin:2, site2:1, total:4
• C. site_replication_factor = origin:2, site1:2, total:4
• D. site_replication_factor = origin:2, site2:1, total:4

Answer: D

NEW QUESTION 21
Which tool(s) can be leveraged to diagnose connection problems between an indexer and forwarder? (Select all that apply.)

• A. telnet
• B. tcpdump
• C. splunk btool
• D. splunk btprobe

Answer: BC

NEW QUESTION 22
Which Splunk tool offers a health check for administrators to evaluate the health of their
Splunk deployment?

• A. btool
• B. DiagGen
• C. SPL Clinic
• D. Monitoring Console

Answer: D

NEW QUESTION 23
......