Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

Identify number of scheduled or real-time searches.

Validate if this Technical Add-On enables event data for a data model.

Identify number of scheduled or real-time searches.

Validate if this Technical Add-On enables event data for a data model.

Identify the maximum number of forwarders Technical Add-On can support.

Verify if Technical Add-On needs to be installed onto both a search head or indexer.

When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

replication_factor = 3search_factor = 2

replication_factor = 2search_factor = 2

replication_factor = 2search factor = 3

replication_factor = 3search_factor = 2

replication_factor = 3search factor = 3

A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

The field was extracted as a private knowledge object.

The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

The field was extracted as a private knowledge object.

The events are tagged as communicate, but are missing the network tag.

The Typing Queue, which does regular expression replacements, is blocked.

The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

What is a Splunk Job? (Select all that apply.)

Searches that are subjected to some usage quota.

A search process kicked off via a report or an alert.

A child OS process manifested from the splunkd process.

A user-defined Splunk capability.

Searches that are subjected to some usage quota.

A search process kicked off via a report or an alert.

A child OS process manifested from the splunkd process.

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

Configure UDP inputs on each Splunk indexer to receive data directly.

Use a network load balancer to direct syslog traffic to active backend syslog listeners.

Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

What is the logical first step when starting a deployment plan?

Collect the initial requirements for the deployment from all stakeholders.

Inventory the currently deployed logging infrastructure.

Determine what apps and use cases will be implemented.

Gather statistics on the expected adoption of Splunk for sizing.

Collect the initial requirements for the deployment from all stakeholders.

Which of the following statements describe search head clustering? (Select all that apply.)

At least three search heads are needed.

The deployer must have sufficient CPU and network resources to process service requests and push configurations.

At least three search heads are needed.

Search heads must meet the high-performance reference server requirements.

The deployer must have sufficient CPU and network resources to process service requests and push configurations.

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

The recommended RAID setup is RAID 10 (1 + 0).

High performance SAN should never be used.

Enable NFS for storing hot and warm buckets.

The recommended RAID setup is RAID 10 (1 + 0).

Virtualized environments are usually preferred over bare metal for Splunk indexers.

Which of the following strongly impacts storage sizing requirements for Enterprise Security?

The number of Data Models accelerated.

The number of scheduled (correlation) searches.

The number of Splunk users configured.

The number of source types used in the environment.

The number of Data Models accelerated.

Which of the following is true regarding the migration of an index cluster from single-site to multi-site?

Existing single-site attributes must be removed.

Multi-site policies will apply to all data in the indexer cluster.

All peer nodes must be running the same version of Splunk.

Existing single-site attributes must be removed.

Single-site buckets cannot be converted to multi-site buckets.

What information is written to the __introspection log file?

File monitor input configurations.

File monitor checkpoint offset.

User activities and knowledge objects.

A customer has a four site indexer cluster. The customer has requirements to store five copies of searchable data, with one searchable copy of data at the origin site, and one searchable copy at the disaster recovery site (site4).Which configuration meets these requirements?

site_replication_factor = origin:l, site4:l, total:5

site_replication_factor = origin:2, site4:l, total:3

site_replication_factor = origin:l, site4:l, total:5

site_search_factor = origin:2, site4:l, total:3

site search factor = origin:1, site4:l, total:5

A customer currently has many deployment clients being managed by a single, dedicated deployment server. The customer plans to double the number of clients.What could be done to minimize performance issues?

Increase the current deployment client phone home interval.

Modify deploymentclient. conf to change from a Pull to Push mechanism.

Reduce the number of apps in the Manager Node repository.

Increase the current deployment client phone home interval.

Decrease the current deployment client phone home interval.

Following Splunk recommendations, where could the Monitoring Console (MC) be installed in a distributed deployment with an indexer cluster, a search head cluster, and 1000 forwarders?

On the search head cluster deployer.

On a search peer in the cluster.

On the search head cluster deployer.

On a search head in the cluster.

A Splunk instance has crashed, but no crash log was generated. There is an attempt to determine what user activity caused the crash by running the following search: What does searching for closed_txn=0 do in this search?

Filters results to situations where Splunk was started, but not stopped.

Filters results to situations where Splunk was started and stopped multiple times.

Filters results to situations where Splunk was started and stopped once.

Filters results to situations where Splunk was stopped and then immediately restarted.

Filters results to situations where Splunk was started, but not stopped.

A single-site indexer cluster has a replication factor of 3, and a search factor of 2. What is true about this cluster?

The cluster will ensure there are at least three copies of each bucket, and at least two copies of searchable metadata.

The cluster will ensure there are at least two copies of each bucket, and at least three copies of searchable metadata.

The cluster will ensure there are at most three copies of each bucket, and at most two copies of searchable metadata.

The cluster will ensure only two search heads are allowed to access the bucket at the same time.

The cluster will ensure there are at least three copies of each bucket, and at least two copies of searchable metadata.

Which of the following most improves KV Store resiliency?

Decrease latency between search heads.

Add faster storage to the search heads to improve artifact replication.

Add indexer CPU and memory to decrease search latency.

Increase the size of the Operations Log.

Which of the following Splunk deployments has the recommended minimum components for a high-availability search head cluster?

3 search heads, 1 deployer, 3 indexers

2 search heads, 1 deployer, 2 indexers

3 search heads, 1 deployer, 3 indexers

1 search head, 1 deployer, 3 indexers

2 search heads, 1 deployer, 3 indexers

What is needed to ensure that high-velocity sources will not have forwarding delays to the indexers?

Increase the default limit for maxKBps in limits.conf.

Increase the default value of sessionTimeout in server, conf.

Increase the default limit for maxKBps in limits.conf.

Decrease the value of forceTimebasedAutoLB in outputs. conf.

Decrease the default value of phoneHomelntervallnSecs in deploymentclient .conf.

Users who receive a link to a search are receiving an 'Unknown sid' error message when they open the link.Why is this happening?

The users have insufficient permissions.

Why should intermediate forwarders be avoided when possible?

To eliminate potential performance bottlenecks.

To minimize license usage and cost.

To decrease mean time between failures.

Because intermediate forwarders cannot be managed by a deployment server.

To eliminate potential performance bottlenecks.

A Splunk deployment is being architected and the customer will be using Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI). Through data onboarding and sizing, it is determined that over 200 discrete KPIs will be tracked by ITSI and 1TB of data per day by ES. What topology ensures a scalable and performant deployment?

Two search head clusters, one for ITSI and one for ES.

Two search heads, one for ITSI and one for ES.

Two search head clusters, one for ITSI and one for ES.

One search head cluster with both ITSI and ES installed.

One search head with both ITSI and ES installed.

How can internal logging levels in a Splunk environment be changed to troubleshoot an issue? (select all that apply)

Use the Monitoring Console (MC).

Other than high availability, which of the following is a benefit of search head clustering?

Automatic replication of user knowledge objects.

Allows indexers to maintain multiple searchable copies of all data.

Input settings are synchronized between search heads.

Fewer network ports are required to be opened between search heads.

Automatic replication of user knowledge objects.

By default, what happens to configurations in the local folder of each Splunk app when it is deployed to a search head cluster?

The local folder is merged into the default folder and deployed to the search heads.

The local folder is copied to the local folder on the search heads.

The local folder is merged into the default folder and deployed to the search heads.

Only certain . conf files in the local folder are deployed to the search heads.

The local folder is ignored and only the default folder is copied to the search heads.

A Splunk environment collecting 10 TB of data per day has 50 indexers and 5 search heads. A single-site indexer cluster will be implemented. Which of the following is a best practice for added data resiliency?

Set the Replication Factor based on allowed indexer failure.

Set the Replication Factor to 49.

Set the Replication Factor based on allowed indexer failure.

Always use the default Replication Factor of 3.

Set the Replication Factor based on allowed search head failure.

Which of the following use cases would be made possible by multi-site clustering? (select all that apply)

Greatly reduce WAN traffic by preferentially searching assigned site (search affinity).

Seamlessly route searches to a redundant site in case of a site failure.

Use blockchain technology to audit search activity from geographically dispersed data centers.

Enable a forwarder to send data to multiple indexers.

Greatly reduce WAN traffic by preferentially searching assigned site (search affinity).

Seamlessly route searches to a redundant site in case of a site failure.

Splunk SPLK-2002 Practice Test 3 - Free Online Exam Prep & Questions

Question 1 / 40

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

SPLUNK_HOME/var/lib/searchpeers

SPLUNK_HOME/var/log/searchpeers

SPLUNK_HOME/var/run/searchpeers

SPLUNK_HOME/var/spool/searchpeers

Comment (0)

Splunk SPLK-2002 Practice Test 3

Question

Splunk SPLK-2002 Practice Tests

Practice Tests