A Review Of Printable SPLK-2002 Free Practice Test

NEW QUESTION 1
Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

• A. Master
• B. Captain
• C. Deployer
• D. Deployment server

Answer: B

NEW QUESTION 2
Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

• A. kvstore.conf
• B. collection.conf
• C. collections.conf
• D. kvcollections.conf

Answer: C

NEW QUESTION 3
In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files.
What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

• A. Total daily indexing volume, number of peer nodes, and number of accelerated searches.
• B. Total daily indexing volume, number of peer nodes, replication factor, and search factor.
• C. Total daily indexing volume, replication factor, search factor, and number of search heads.
• D. Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

Answer: D

NEW QUESTION 4
Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

• A. Identify number of scheduled or real-time searches.
• B. Validate if this Technical Add-On enables event data for a data model.
• C. Identify the maximum number of forwarders Technical Add-On can support.
• D. Verify if Technical Add-On needs to be installed onto both a search head or indexer.

Answer: AC

NEW QUESTION 5
A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

• A. The field was extracted as a private knowledge object.
• B. The events are tagged as communicate, but are missing the network tag.
• C. The Typing Queue, which does regular expression replacements, is blocked.
• D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

Answer: D

NEW QUESTION 6
Which command is used for thawing the archive bucket?

• A. Splunk collect
• B. Splunk convert
• C. Splunk rebuild
• D. Splunk dbinspect

Answer: C

NEW QUESTION 7
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV
store will form?

• A. 25
• B. 50
• C. 100
• D. Unlimited

Answer: D

NEW QUESTION 8
When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

• A. Index and .tsidx files.
• B. Rawdata and index files.
• C. Compressed and .tsidx files.
• D. Compressed and meta data files.

Answer: B

NEW QUESTION 9
What is the algorithm used to determine captaincy in a Splunk search head cluster?

• A. Raft distributed consensus.
• B. Rapt distributed consensus.
• C. Rift distributed consensus.
• D. Round-robin distribution consensus.

Answer: A

NEW QUESTION 10
When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

• A. 1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.
• B. 1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.
• C. 1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.
• D. 1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Answer: B

NEW QUESTION 11
Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

• A. Use TCP syslog.
• B. Configure UDP inputs on each Splunk indexer to receive data directly.
• C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.
• D. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

Answer: CD

NEW QUESTION 12
Which component in the splunkd.log will log information related to bad event breaking?

• A. Audittrail
• B. EventBreaking
• C. IndexingPipeline
• D. AggregatorMiningProcessor

Answer: D

NEW QUESTION 13
Which Splunk Enterprise offering has its own license?

• A. Splunk Cloud Forwarder
• B. Splunk Heavy Forwarder
• C. Splunk Universal Forwarder
• D. Splunk Forwarder Management

Answer: C

NEW QUESTION 14
Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

• A. site_mappings
• B. available_sites
• C. site_search_factor
• D. site_replication_factor

Answer: A

NEW QUESTION 15
Splunk configuration parameter settings can differ between multiple .conf files of the same name contained within different apps. Which of the following directories has the highest precedence?

• A. System local directory.
• B. System default directory.
• C. App local directories, in ASCII order.
• D. App default directories, in ASCII order.

Answer: A

NEW QUESTION 16
In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

• A. Input
• B. Search
• C. Parsing
• D. Indexing

Answer: C

NEW QUESTION 17
What is the minimum reference server specification for a Splunk indexer?

• A. 12 CPU cores, 12GB RAM, 800 IOPS
• B. 16 CPU cores, 16GB RAM, 800 IOPS
• C. 24 CPU cores, 16GB RAM, 1200 IOPS
• D. 28 CPU cores, 32GB RAM, 1200 IOPS

Answer: A

NEW QUESTION 18
Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

• A. Check serverclass.conf of the deployment server.
• B. Check deploymentclient.conf of the deployment client.
• C. Check the content of SPLUNK_HOME/etc/apps of the deployment server.
• D. Search for relevant events in splunkd.log of the deployment server.

Answer: ABC

NEW QUESTION 19
A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

• A. Via Splunk Web.
• B. Directly edit SPLUNK_HOME/etc/system/local/server.conf
• C. Run a splunk edit cluster-config command from the CLI.
• D. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Answer: AB

NEW QUESTION 20
Which of the following are true statements about Splunk indexer clustering?

• A. All peer nodes must run exactly the same Splunk version.
• B. The master node must run the same or a later Splunk version than search heads.
• C. The peer nodes must run the same or a later Splunk version than the master node.
• D. The search head must run the same or a later Splunk version than the peer nodes.

Answer: B

NEW QUESTION 21
Of the following types of files within an index bucket, which file type may consume the most disk?

• A. Rawdata
• B. Bloom filter
• C. Metadata (.data)
• D. Inverted index (.tsidx)

Answer: B

NEW QUESTION 22
Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

• A. audit.log
• B. metrics.log
• C. disk_objects.log
• D. resource_usage.log

Answer: CD

NEW QUESTION 23
Which of the following are client filters available in serverclass.conf? (Select all that apply.)

• A. DNS name.
• B. IP address.
• C. Splunk server role.
• D. Platform (machine type).

Answer: AB

NEW QUESTION 24
......