Splunk SPLK-2002 Splunk Enterprise Certified Architect Exam Practice Test

Page: 1 / 14
Total 160 questions
Question 1

Which of the following is true for indexer cluster knowledge bundles?



Answer : B

According to the Splunk documentation1, indexer cluster knowledge bundles are the configuration files that the cluster master distributes to the peer nodes as part of the cluster configuration bundle. The knowledge bundles contain the knowledge objects, such as event types, tags, lookups, and so on, that are relevant for indexing and searching the data. The cluster master creates the knowledge bundles by merging the app-name/default and app-name/local directories from the apps that reside on the master node.The cluster master then pushes the knowledge bundles to the peer nodes, where they reside under the $SPLUNK_HOME/var/run directory2. The other options are false because:

Only app-name/local is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes.The app-name/local directory contains the local customizations of the app configuration, while the app-name/default directory contains the default app configuration3.

Only app-name/default is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes.The app-name/default directory contains the default app configuration, while the app-name/local directory contains the local customizations of the app configuration3.

app-name/default and app-name/local are pushed without change. This is false because the cluster master merges the app-name/default and app-name/local directories before pushing them to the peer nodes.This ensures that the peer nodes have the latest and consistent configuration of the apps3.


Question 2

Which Splunk component is mandatory when implementing a search head cluster?



Answer : B

This is a mandatory Splunk component when implementing a search head cluster, as it is responsible for distributing the configuration updates and app bundles to the cluster members1.The deployer is a separate instance that communicates with the cluster manager and pushes the changes to the search heads1. The other options are not mandatory components for a search head cluster.Option A, Captain Server, is not a component, but a role that is dynamically assigned to one of the search heads in the cluster2.The captain coordinates the replication and search activities among the cluster members2.Option C, Cluster Manager, is a component for an indexer cluster, not a search head cluster3.The cluster manager manages the replication and search factors, and provides a web interface for monitoring and managing the indexer cluster3.Option D, RAFT Server, is not a component, but a protocol that is used by the search head cluster to elect the captain and maintain the cluster state4. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Use the deployer to distribute apps and configuration updates2: About the captain3: About the cluster manager4: How a search head cluster works


Question 3

When designing the number and size of indexes, which of the following considerations should be applied?



Answer : D

When designing the number and size of indexes, the following considerations should be applied:

Expected daily ingest volumes: This is the amount of data that will be ingested and indexed by the Splunk platform per day. This affects the storage capacity, the indexing performance, and the license usage of the Splunk deployment.The number and size of indexes should be planned according to the expected daily ingest volumes, as well as the peak ingest volumes, to ensure that the Splunk deployment can handle the data load and meet the business requirements12.

Data retention time policies: This is the duration for which the data will be stored and searchable by the Splunk platform. This affects the storage capacity, the data availability, and the data compliance of the Splunk deployment.The number and size of indexes should be planned according to the data retention time policies, as well as the data lifecycle, to ensure that the Splunk deployment can retain the data for the desired period and meet the legal or regulatory obligations13.

Access controls: This is the mechanism for granting or restricting access to the data by the Splunk users or roles. This affects the data security, the data privacy, and the data governance of the Splunk deployment.The number and size of indexes should be planned according to the access controls, as well as the data sensitivity, to ensure that the Splunk deployment can protect the data from unauthorized or inappropriate access and meet the ethical or organizational standards14.

Option D is the correct answer because it reflects the most relevant and important considerations for designing the number and size of indexes.Option A is incorrect because the number of concurrent users is not a direct factor for designing the number and size of indexes, but rather a factor for designing the search head capacity and the search head clustering configuration5. Option B is incorrect because the number of installed apps is not a direct factor for designing the number and size of indexes, but rather a factor for designing the app compatibility and the app performance. Option C is incorrect because it omits the expected daily ingest volumes, which is a crucial factor for designing the number and size of indexes.


1:Splunk Validated Architectures2: [Indexer capacity planning]3: [Set a retirement and archiving policy for your indexes]4: [About securing Splunk Enterprise]5: [Search head capacity planning] : [App installation and management overview]

Question 4

What types of files exist in a bucket within a clustered index? (select all that apply)



Answer : C, D

According to the Splunk documentation1, a bucket within a clustered index contains two key types of files: the raw data in compressed form (rawdata) and the indexes that point to the raw data (tsidx files). A bucket can be either replicated or searchable, depending on whether it has both types of files or only the rawdata file. A replicated bucket is a bucket that has been copied from one peer node to another for the purpose of data replication. A searchable bucket is a bucket that has both the rawdata and the tsidx files, and can be searched by the search heads. The types of files that exist in a bucket within a clustered index are:

Inside a searchable bucket, there is tsidx and rawdata.This is true because a searchable bucket contains both the data and the index files, and can be searched by the search heads1.

Inside a replicated bucket, there is both tsidx and rawdata. This is true because a replicated bucket can also be a searchable bucket, if it has both the data and the index files.However, not all replicated buckets are searchable, as some of them might only have the rawdata file, depending on the replication factor and the search factor settings1.

The other options are false because:

Inside a replicated bucket, there is only rawdata. This is false because a replicated bucket can also have the tsidx file, if it is a searchable bucket.A replicated bucket only has the rawdata file if it is a non-searchable bucket, which means that it cannot be searched by the search heads until it gets the tsidx file from another peer node1.

Inside a searchable bucket, there is only tsidx. This is false because a searchable bucket always has both the tsidx and the rawdata files, as they are both required for searching the data.A searchable bucket cannot exist without the rawdata file, as it contains the actual data that the tsidx file points to1.


Question 5

A customer is migrating 500 Universal Forwarders from an old deployment server to a new deployment server, with a different DNS name. The new deployment server is configured and running.

The old deployment server deployed an app containing an updated deploymentclient.conf file to all forwarders, pointing them to the new deployment server. The app was successfully deployed to all 500 forwarders.

Why would all of the forwarders still be phoning home to the old deployment server?



Answer : C

All of the forwarders would still be phoning home to the old deployment server, because the forwarders are configured to use the old deployment server in $SPLUNK_HOME/etc/system/local. This is the local configuration directory that contains the settings that override the default settings in $SPLUNK_HOME/etc/system/default. The deploymentclient.conf file in the local directory specifies the targetUri of the deployment server that the forwarder contacts for configuration updates and apps. If the forwarders have the old deployment server's targetUri in the local directory, they will ignore the updated deploymentclient.conf file that was deployed by the old deployment server, because the local settings have higher precedence than the deployed settings. To fix this issue, the forwarders should either remove the deploymentclient.conf file from the local directory, or update it with the new deployment server's targetUri. Option C is the correct answer. Option A is incorrect because a version mismatch between the forwarders and the new deployment server would not prevent the forwarders from phoning home to the new deployment server, as long as they are compatible versions. Option B is incorrect because the new deployment server is configured and running, and there is no indication that it is not accepting connections from the forwarders. Option D is incorrect because the pass4SymmKey is the shared secret key that the deployment server and the forwarders use to authenticate each other.It does not affect the forwarders' ability to phone home to the new deployment server, as long as it is the same on both sides12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Updating/Configuredeploymentclients2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Wheretofindtheconfigurationfiles


Question 6

On search head cluster members, where in $splunk_home does the Splunk Deployer deploy app content by default?



Answer : B

According to the Splunk documentation1, the Splunk Deployer deploys app content to the etc/slave-apps/ directory on the search head cluster members by default. This directory contains the apps that the deployer distributes to the members as part of the configuration bundle. The other options are false because:

The etc/apps/ directory contains the apps that are installed locally on each member, not the apps that are distributed by the deployer2.

The etc/shcluster/ directory contains the configuration files for the search head cluster, not the apps that are distributed by the deployer3.

The etc/deploy-apps/ directory is not a valid Splunk directory, as it does not exist in the Splunk file system structure4.


Question 7

How many cluster managers are required for a multisite indexer cluster?



Answer : C

A multisite indexer cluster is a type of indexer cluster that spans multiple geographic locations or sites. A multisite indexer cluster requires only one cluster manager, also known as the master node, for the entire cluster. The cluster manager is responsible for coordinating the replication and search activities among the peer nodes across all sites. The cluster manager can reside in any site, but it must be accessible by all peer nodes and search heads in the cluster. Option C is the correct answer. Option A is incorrect because having two cluster managers for the entire cluster would introduce redundancy and complexity. Option B is incorrect because having one cluster manager for each site would create separate clusters, not a multisite cluster.Option D is incorrect because having two cluster managers for each site would be unnecessary and inefficient12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Multisiteoverview2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Clustermanageroverview


Page:    1 / 14   
Total 160 questions