Far Out SPLK-2002 Testing Material For Splunk Enterprise Certified Architect Certification

NEW QUESTION 1
When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

• A. 1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.
• B. 1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.
• C. 1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.
• D. 1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Answer: B

NEW QUESTION 2
In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

• A. site_search_factor = origin:2, site1:2, total:4
• B. site_search_factor = origin:2, site2:1, total:4
• C. site_replication_factor = origin:2, site1:2, total:4
• D. site_replication_factor = origin:2, site2:1, total:4

Answer: D

NEW QUESTION 3
Which command will permanently decommission a peer node operating in an
indexer cluster?

• A. splunk stop -f
• B. splunk offline -f
• C. splunk offline --enforce-counts
• D. splunk decommission --enforce counts

Answer: C

NEW QUESTION 4
When should multiple search pipelines be enabled?

• A. Only if disk IOPS is at 800 or better.
• B. Only if there are fewer than twelve concurrent users.
• C. Only if running Splunk Enterprise version 6.6 or later.
• D. Only if CPU and memory resources are significantly under-utilized.

Answer: D

NEW QUESTION 5
A new Splunk customer is using syslog to collect data from their network devices on port 514. What is the best practice for ingesting this data into Splunk?

• A. Configure syslog to send the data to multiple Splunk indexers.
• B. Use a Splunk indexer to collect a network input on port 514 directly.
• C. Use a Splunk forwarder to collect the input on port 514 and forward the data.
• D. Configure syslog to write logs and use a Splunk forwarder to collect the logs.

Answer: C

NEW QUESTION 6
Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)

• A. OS settings.
• B. Internal logs.
• C. Customer data.
• D. Configuration files.

Answer: BD

NEW QUESTION 7
Which of the following is a way to exclude search artifacts when creating a diag?

• A. SPLUNK_HOME/bin/splunk diag --exclude
• B. SPLUNK_HOME/bin/splunk diag --debug --refresh
• C. SPLUNK_HOME/bin/splunk diag --disable=dispatch
• D. SPLUNK_HOME/bin/splunk diag --filter-searchstrings

Answer: A

NEW QUESTION 8
A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

• A. Create a job server on the cluster.
• B. Add another search head to the cluster.
• C. server.conf captain_is_adhoc_searchhead = true.
• D. Change limits.conf value for max_searches_per_cpu to a higher value.

Answer: D

NEW QUESTION 9
A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

• A. Via Splunk Web.
• B. Directly edit SPLUNK_HOME/etc/system/local/server.conf
• C. Run a splunk edit cluster-config command from the CLI.
• D. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Answer: AB

NEW QUESTION 10
Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

• A. Data encryption between Splunk Web and splunkd.
• B. Certificate authentication between forwarders and indexers.
• C. Certificate authentication between Splunk Web and search head.
• D. Data encryption for distributed search between search heads and indexers.

Answer: B

NEW QUESTION 11
What is a Splunk Job? (Select all that apply.)

• A. A user-defined Splunk capability.
• B. Searches that are subjected to some usage quota.
• C. A search process kicked off via a report or an alert.
• D. A child OS process manifested from the splunkd process.

Answer: A

NEW QUESTION 12
In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files.
What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

• A. Total daily indexing volume, number of peer nodes, and number of accelerated searches.
• B. Total daily indexing volume, number of peer nodes, replication factor, and search factor.
• C. Total daily indexing volume, replication factor, search factor, and number of search heads.
• D. Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

Answer: D

NEW QUESTION 13
When Splunk is installed, where are the internal indexes
stored by default?

• A. SPLUNK_HOME/bin
• B. SPLUNK_HOME/var/lib
• C. SPLUNK_HOME/var/run
• D. SPLUNK_HOME/etc/system/default

Answer: B

NEW QUESTION 14
When troubleshooting monitor inputs, which command checks the status of the tailed files?

• A. splunk cmd btool inputs list | tail
• B. splunk cmd btool check inputs layer
• C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
• D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

Answer: C

NEW QUESTION 15
A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department. Which of the following items might be the cause for this issue?

• A. The search head may have different configurations than the indexers.
• B. The data inputs are not properly configured across all the forwarders.
• C. The indexers may have different configurations than the heavy forwarders.
• D. The forwarders managed by the other department are an older version than the rest.

Answer: D

NEW QUESTION 16
Configurations from the deployer are merged into which location on the search head cluster member?

• A. SPLUNK_HOME/etc/system/local
• B. SPLUNK_HOME/etc/apps/APP_HOME/local
• C. SPLUNK_HOME/etc/apps/search/default
• D. SPLUNK_HOME/etc/apps/APP_HOME/default

Answer: A

NEW QUESTION 17
Which Splunk server role regulates the functioning of
indexer cluster?

• A. Indexer
• B. Deployer
• C. Master Node
• D. Monitoring Console

Answer: C

NEW QUESTION 18
In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

• A. Input
• B. Search
• C. Parsing
• D. Indexing

Answer: C

NEW QUESTION 19
To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

• A. adhoc_searchhead = true (on all members)
• B. adhoc_searchhead = true (on the current captain)
• C. captain_is_adhoc_searchhead = true (on all members)
• D. captain_is_adhoc_searchhead = true (on the current captain)

Answer: D

NEW QUESTION 20
When adding or rejoining a member to a search head cluster, the following error is displayed:
Error pulling configurations from the search head cluster captain; consider performing a destructive configuration resync on this search head cluster member.
What corrective action should be taken?

• A. Restart the search head.
• B. Run the splunk apply shcluster-bundle command from the deployer.
• C. Run the clean raft command on all members of the search head cluster.
• D. Run the splunk resync shcluster-replicated-config command on this member.

Answer: B

NEW QUESTION 21
What is the algorithm used to determine captaincy in a Splunk search head cluster?

• A. Raft distributed consensus.
• B. Rapt distributed consensus.
• C. Rift distributed consensus.
• D. Round-robin distribution consensus.

Answer: A

NEW QUESTION 22
......