SPLK-2002 Online Practice Questions and Answers

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

A. Distributes apps to SHC members.

B. Bootstraps a clean Splunk install for a SHC.

C. Distributes non-search related and manual configuration file changes.

D. Distributes runtime knowledge object changes made by users across the SHC.

In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files.

What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

A. Total daily indexing volume, number of peer nodes, and number of accelerated searches.

B. Total daily indexing volume, number of peer nodes, replication factor, and search factor.

C. Total daily indexing volume, replication factor, search factor, and number of search heads.

D. Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

Which of the following can a Splunk diag contain?

A. Search history, Splunk users and their roles, running processes, indexed data

B. Server specs, current open connections, internal Splunk log files, index listings

C. KV store listings, internal Splunk log files, search peer bundles listings, indexed data

D. Splunk platform configuration details, Splunk users and their roles, current open connections, index listings

A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk.

How many indexers are recommended for this deployment?

A. Two indexers not in a cluster, assuming users run many long searches.

B. Three indexers not in a cluster, assuming a long data retention period.

C. Two indexers clustered, assuming high availability is the greatest priority.

D. Two indexers clustered, assuming a high volume of saved/scheduled searches.

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

A. Is the job scheduler for the entire SHC.

B. Manages alert action suppressions (throttling).

C. Synchronizes the member list with the KV store primary.

D. Replicates the SHC's knowledge bundle to the search peers.

Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

A. Master

B. Captain

C. Deployer

D. Deployment server

In the deployment planning process, when should a person identify who gets to see network data?

A. Deployment schedule

B. Topology diagramming

C. Data source inventory

D. Data policy definition

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

A. 25

B. 50

C. 100

D. Unlimited

When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

A. 1. Delete Splunk Enterprise, if it exists.

2.

Install and initialize the instance.

3.

Join the SHC.

B. 1. Install and initialize the instance.

2.

Delete Splunk Enterprise, if it exists.

3.

Join the SHC.

C. 1. Initialize cluster rebalance operation.

2.

Remove master node from cluster.

3.

Trigger replication.

D. 1. Trigger replication.

2.

Remove master node from cluster.

3.

Initialize cluster rebalance operation.

When troubleshooting monitor inputs, which command checks the status of the tailed files?

A. splunk cmd btool inputs list | tail

B. splunk cmd btool check inputs layer

C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

As a best practice, where should the internal licensing logs be stored?

A. Indexing layer.

B. License server.

C. Deployment layer.

D. Search head layer.

How does the average run time of all searches relate to the available CPU cores on the indexers?

A. Average run time is independent of the number of CPU cores on the indexers.

B. Average run time decreases as the number of CPU cores on the indexers decreases.

C. Average run time increases as the number of CPU cores on the indexers decreases.

D. Average run time increases as the number of CPU cores on the indexers increases.

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

A. SPLUNK_HOME/var/lib/searchpeers

B. SPLUNK_HOME/var/log/searchpeers

C. SPLUNK_HOME/var/run/searchpeers

D. SPLUNK_HOME/var/spool/searchpeers

When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

A. replication_factor = 2 search_factor = 2

B. replication_factor = 2 search factor = 3

C. replication_factor = 3 search_factor = 2

D. replication_factor = 3 search factor = 3

What is the logical first step when starting a deployment plan?

A. Inventory the currently deployed logging infrastructure.

B. Determine what apps and use cases will be implemented.

C. Gather statistics on the expected adoption of Splunk for sizing.

D. Collect the initial requirements for the deployment from all stakeholders.