Free SPLK-2002 Sample Questions — Splunk Enterprise Certified Architect

Data for which of the following indexes will count against an ingest-based license?

• A. _introspection
• B. summary
• C. _metrics
• D. main

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

• A. kvstore.conf
• B. collection.conf
• C. collections.conf
• D. kvcollections.conf

What problem does a static captain address for a search head cluster?

• A. Prevents network interruption from stopping communication between two sites
• B. Increased search head cluster resiliency in case the dynamic captain fails
• C. Recovery of a search head cluster that could not reach consensus
• D. Faster raft elections and captain replacement when the captain fails

A high volume source and a low volume source feed into the same index. Which of the following items best describe the impact of this design choice? (Choose all that apply.)

• A. High volume data is optimized by the presence of low volume data
• B. Low volume data will improve the compression factor of the high volume data
• C. Search speed on low volume data will be slower than necessary
• D. Low volume data may move out of the index based on volume rather than age

What is a recommended way to improve search performance?

• A. Leverage the NOT expression to limit returned results
• B. Filter as much as possible in the initial search
• C. Use the shortest query possible
• D. Use non-streaming commands as early as possible

When troubleshooting monitor inputs, which command checks the status of the tailed files?

• A. splunk cmd btool inputs list | tail
• B. splunk cmd btool check inputs layer
• C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
• D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

Which of the following is not facilitated by the deployer?

• A. Migration of app and user configurations into the search head cluster
• B. Distribute non-replicated, non-runtime configuration updates
• C. Replication of knowledge objects
• D. Deployment of baseline app configurations

A customer has a Splunk Enterprise deployment and wants to collect data from universal forwarders. What is the best step to secure log traffic?

• A. Create signed SSL certificates and use them to encrypt data between the search heads and indexers
• B. Use the Splunk provided SSL certificates to encrypt data between the forwarders and indexers
• C. Ensure all forwarded traffic is routed through a web application firewall (WAF)
• D. Create signed SSL certificates and use them to encrypt data between the forwarders and indexers

Configurations from the deployer are merged into which location on the search head cluster member?

• A. SPLUNK_HOME/etc/system/local
• B. SPLUNK_HOME/etc/apps/APP_HOME/local
• C. SPLUNK_HOME/etc/apps/search/default
• D. SPLUNK_HOME/etc/apps/APP_HOME/default

When planning a search head cluster, which of the following is true?

• A. All search heads must use the same operating system
• B. All search heads must be members of the cluster (no standalone search heads)
• C. The search head captain must be assigned to the largest search head in the cluster
• D. All indexers must belong to the underlying indexer cluster (no standalone indexers)

The current IT environment is required when planning a Splunk deployment. What information should the topology include? (Choose all that apply.)

• A. Authentication system(s) in place
• B. Location of data centers
• C. The type of hardware being used for network servers
• D. Security restrictions between sites

Which of the following statements describe search head clustering? (Select all that apply.)

• A. deployer is required
• B. At least three search heads are needed
• C. Search heads must meet the high-performance reference server requirements
• D. The deployer must have sufficient CPU and network resources to process service requests and push configurations

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

• A. site_search_factor = origin:2, site1:2, total:4
• B. site_search_factor = origin:2, site2:1, total:4
• C. site_replication_factor = origin:2, site1:2, total:4
• D. site_replication_factor = origin:2, site2:1, total:4

A customer creates a saved search that runs on a specific interval. Which internal Splunk log should be viewed to determine if the search ran recently?

• A. kvstore.log
• B. scheduler.log
• C. metrics.log
• D. btool.log

Which of the following statements about integrating with third-party systems is true? (Select all that apply.)

• A. Hadoop application can search data in Splunk
• B. Splunk can search data in the Hadoop File System (HDFS)
• C. You can use Splunk alerts to provision actions on a third-party system
• D. You can forward data from Splunk forwarder to a third-party system without indexing it first

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

• A. audit.log
• B. metrics.log
• C. disk_objects.log
• D. resource_usage.log

A customer has converted a CSV lookup to a KV Store lookup. What must be done to make it available for an automatic lookup?

• A. Add the replicate=true attribute in lookups.conf.
• B. Add the repFactor=true attribute in collections.conf.
• C. Add the replicate=true attribute in collections.conf.
• D. Add the repFactor=true attribute in lookups.conf.

When implementing KV Store Collections in a search head cluster, which of the following considerations is true?

• A. The KV Store Collection will not allow for changes to content if there are more than 50 search heads in the cluster
• B. The search head cluster captain is also the KV Store Primary when collection content changes
• C. The KV Store Primary coordinates with the search head cluster captain when collection content changes
• D. Each search head in the cluster independently updates its KV store collection when collection content changes

When determining where a Splunk forwarder is trying to send data, which of the following searches can provide assistance?

• A. index=_internal sourcetype=internal metrics destHost | dedup destHost
• B. index=_metrics sourcetype=splunkd metrics destHost | dedup destHost
• C. index=_internal sourcetype=splunkd metrics destHost | dedup destHost
• D. index=_internal sourcetype=splunkd metrics inputHost | dedup inputHost

What is the logical first step when starting a deployment plan?

• A. Inventory the currently deployed logging infrastructure
• B. Determine what apps and use cases will be implemented
• C. Gather statistics on the expected adoption of Splunk for sizing
• D. Collect the initial requirements for the deployment from all stakeholders