Practice Free SPLK-2002 Exam Online Questions
Question #11
Which server.conf attribute should be added to the master node’s server.conf file when decommissioning a site in an indexer cluster?
- A . site_mappings
- B . available_sites
- C . site_search_factor
- D . site_replication_factor
Correct Answer: A
A
Explanation:
The site_mappings attribute should be added to the master node’s server.conf file when decommissioning a site in an indexer cluster. The site_mappings attribute is used to specify how the master node should reassign the buckets from the decommissioned site to the remaining sites. The site_mappings attribute is a comma-separated list of site pairs, where the first site is the decommissioned site and the second site is the destination site. For example, site_mappings = site1:site2,site3:site4 means that the buckets from site1 will be moved to site2, and the buckets from site3 will be moved to site4. The available_sites attribute is used to specify which sites are currently available in the cluster, and it is automatically updated by the master node. The site_search_factor and site_replication_factor attributes are used to specify the number of searchable and replicated copies of each bucket for each site, and they are not affected by the decommissioning process
A
Explanation:
The site_mappings attribute should be added to the master node’s server.conf file when decommissioning a site in an indexer cluster. The site_mappings attribute is used to specify how the master node should reassign the buckets from the decommissioned site to the remaining sites. The site_mappings attribute is a comma-separated list of site pairs, where the first site is the decommissioned site and the second site is the destination site. For example, site_mappings = site1:site2,site3:site4 means that the buckets from site1 will be moved to site2, and the buckets from site3 will be moved to site4. The available_sites attribute is used to specify which sites are currently available in the cluster, and it is automatically updated by the master node. The site_search_factor and site_replication_factor attributes are used to specify the number of searchable and replicated copies of each bucket for each site, and they are not affected by the decommissioning process
Question #12
Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index.
Which of the following logs are included in this index? (Select all that apply.)
- A . audit.log
- B . metrics.log
- C . disk_objects.log
- D . resource_usage.log
Correct Answer: C, D
C, D
Explanation:
The following logs are included in the _introspection index, which contains data that the Splunk Enterprise deployment logs for platform instrumentation:
disk_objects.log. This log contains information about the disk objects that Splunk creates and manages, such as buckets, indexes, and files. This log can help monitor the disk space usage and the bucket lifecycle.
resource_usage.log. This log contains information about the resource usage of Splunk processes, such as CPU, memory, disk, and network. This log can help monitor the Splunk performance and identify any resource bottlenecks. The following logs are not included in the _introspection index, but rather in the _internal index, which contains data that Splunk generates for internal logging: audit.log. This log contains information about the audit events that Splunk records, such as user actions, configuration changes, and search activity. This log can help audit the Splunk operations and security.
metrics.log. This log contains information about the performance metrics that Splunk collects, such as data throughput, data latency, search concurrency, and search duration. This log can help measure the Splunk performance and efficiency. For more information, see About Splunk Enterprise logging and [About the _introspection index] in the Splunk documentation.
C, D
Explanation:
The following logs are included in the _introspection index, which contains data that the Splunk Enterprise deployment logs for platform instrumentation:
disk_objects.log. This log contains information about the disk objects that Splunk creates and manages, such as buckets, indexes, and files. This log can help monitor the disk space usage and the bucket lifecycle.
resource_usage.log. This log contains information about the resource usage of Splunk processes, such as CPU, memory, disk, and network. This log can help monitor the Splunk performance and identify any resource bottlenecks. The following logs are not included in the _introspection index, but rather in the _internal index, which contains data that Splunk generates for internal logging: audit.log. This log contains information about the audit events that Splunk records, such as user actions, configuration changes, and search activity. This log can help audit the Splunk operations and security.
metrics.log. This log contains information about the performance metrics that Splunk collects, such as data throughput, data latency, search concurrency, and search duration. This log can help measure the Splunk performance and efficiency. For more information, see About Splunk Enterprise logging and [About the _introspection index] in the Splunk documentation.
Question #13
What information is written to the __introspection log file?
- A . File monitor input configurations.
- B . File monitor checkpoint offset.
- C . User activities and knowledge objects.
- D . KV store performance.
Correct Answer: D
D
Explanation:
The __introspection log file contains data about the impact of the Splunk software on the host system, such as CPU, memory, disk, and network usage, as well as KV store performance1. This log file is monitored by default and the contents are sent to the _introspection index1. The other options are not related to the __introspection log file. File monitor input configurations are stored in inputs.conf2. File monitor checkpoint offset is stored in fishbucket3. User activities and knowledge objects are stored in the _audit and _internal indexes respectively4.
D
Explanation:
The __introspection log file contains data about the impact of the Splunk software on the host system, such as CPU, memory, disk, and network usage, as well as KV store performance1. This log file is monitored by default and the contents are sent to the _introspection index1. The other options are not related to the __introspection log file. File monitor input configurations are stored in inputs.conf2. File monitor checkpoint offset is stored in fishbucket3. User activities and knowledge objects are stored in the _audit and _internal indexes respectively4.
Question #14
The frequency in which a deployment client contacts the deployment server is controlled by what?
- A . polling_interval attribute in outputs.conf
- B . phoneHomeIntervalInSecs attribute in outputs.conf
- C . polling_interval attribute in deploymentclient.conf
- D . phoneHomeIntervalInSecs attribute in deploymentclient.conf
Correct Answer: D
D
Explanation:
The frequency in which a deployment client contacts the deployment server is controlled by the phoneHomeIntervalInSecs attribute in deploymentclient.conf. This attribute specifies how often the deployment client checks in with the deployment server to get updates on the apps and configurations that it should receive. The polling_interval attribute in outputs.conf controls how often the forwarder sends data to the indexer or another forwarder. The polling_interval attribute in deploymentclient.conf and the phoneHomeIntervalInSecs attribute in outputs.conf are not valid Splunk attributes. For more information, see Configure deployment clients and Configure forwarders with outputs.conf in the Splunk documentation.
D
Explanation:
The frequency in which a deployment client contacts the deployment server is controlled by the phoneHomeIntervalInSecs attribute in deploymentclient.conf. This attribute specifies how often the deployment client checks in with the deployment server to get updates on the apps and configurations that it should receive. The polling_interval attribute in outputs.conf controls how often the forwarder sends data to the indexer or another forwarder. The polling_interval attribute in deploymentclient.conf and the phoneHomeIntervalInSecs attribute in outputs.conf are not valid Splunk attributes. For more information, see Configure deployment clients and Configure forwarders with outputs.conf in the Splunk documentation.
Question #14
The frequency in which a deployment client contacts the deployment server is controlled by what?
- A . polling_interval attribute in outputs.conf
- B . phoneHomeIntervalInSecs attribute in outputs.conf
- C . polling_interval attribute in deploymentclient.conf
- D . phoneHomeIntervalInSecs attribute in deploymentclient.conf
Correct Answer: D
D
Explanation:
The frequency in which a deployment client contacts the deployment server is controlled by the phoneHomeIntervalInSecs attribute in deploymentclient.conf. This attribute specifies how often the deployment client checks in with the deployment server to get updates on the apps and configurations that it should receive. The polling_interval attribute in outputs.conf controls how often the forwarder sends data to the indexer or another forwarder. The polling_interval attribute in deploymentclient.conf and the phoneHomeIntervalInSecs attribute in outputs.conf are not valid Splunk attributes. For more information, see Configure deployment clients and Configure forwarders with outputs.conf in the Splunk documentation.
D
Explanation:
The frequency in which a deployment client contacts the deployment server is controlled by the phoneHomeIntervalInSecs attribute in deploymentclient.conf. This attribute specifies how often the deployment client checks in with the deployment server to get updates on the apps and configurations that it should receive. The polling_interval attribute in outputs.conf controls how often the forwarder sends data to the indexer or another forwarder. The polling_interval attribute in deploymentclient.conf and the phoneHomeIntervalInSecs attribute in outputs.conf are not valid Splunk attributes. For more information, see Configure deployment clients and Configure forwarders with outputs.conf in the Splunk documentation.
Question #16
Which part of the deployment plan is vital prior to installing Splunk indexer clusters and search head clusters?
- A . Data source inventory.
- B . Data policy definitions.
- C . Splunk deployment topology.
- D . Education and training plans.
Correct Answer: C
C
Explanation:
According to the Splunk documentation1, the Splunk deployment topology is the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters. The deployment topology defines the number and type of Splunk components, such as forwarders, indexers, search heads, and deployers, that you need to install and configure for your distributed deployment. The deployment topology also determines the network and hardware requirements, the data flow and replication, the high availability and disaster recovery options, and the security and performance considerations for your deployment2. The other options are false because:
Data source inventory is not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as it is a preliminary step that helps you identify the types, formats, locations, and volumes of data that you want to collect and analyze with Splunk. Data source inventory is important for planning your data ingestion and retention strategies, but it does not directly affect the installation and configuration of Splunk components3.
Data policy definitions are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the rules and guidelines that govern how you handle, store, and protect your data. Data policy definitions are important for ensuring data quality, security, and compliance, but they do not directly affect the installation and configuration of Splunk components4.
Education and training plans are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the learning resources and programs that help you and your team acquire the skills and knowledge to use Splunk effectively. Education and training plans are important for enhancing your Splunk proficiency and productivity, but they do not directly affect the installation and configuration of Splunk components5.
C
Explanation:
According to the Splunk documentation1, the Splunk deployment topology is the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters. The deployment topology defines the number and type of Splunk components, such as forwarders, indexers, search heads, and deployers, that you need to install and configure for your distributed deployment. The deployment topology also determines the network and hardware requirements, the data flow and replication, the high availability and disaster recovery options, and the security and performance considerations for your deployment2. The other options are false because:
Data source inventory is not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as it is a preliminary step that helps you identify the types, formats, locations, and volumes of data that you want to collect and analyze with Splunk. Data source inventory is important for planning your data ingestion and retention strategies, but it does not directly affect the installation and configuration of Splunk components3.
Data policy definitions are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the rules and guidelines that govern how you handle, store, and protect your data. Data policy definitions are important for ensuring data quality, security, and compliance, but they do not directly affect the installation and configuration of Splunk components4.
Education and training plans are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the learning resources and programs that help you and your team acquire the skills and knowledge to use Splunk effectively. Education and training plans are important for enhancing your Splunk proficiency and productivity, but they do not directly affect the installation and configuration of Splunk components5.
Question #17
To improve Splunk performance, parallelIngestionPipelines setting can be adjusted on which of the following components in the Splunk architecture? (Select all that apply.)
- A . Indexers
- B . Forwarders
- C . Search head
- D . Cluster master
Correct Answer: A, B
A, B
Explanation:
The parallelIngestionPipelines setting can be adjusted on the indexers and forwarders to improve Splunk performance. The parallelIngestionPipelines setting determines how many concurrent data pipelines are used to process the incoming data. Increasing the parallelIngestionPipelines setting can improve the data ingestion and indexing throughput, especially for high-volume data sources. The parallelIngestionPipelines setting can be adjusted on the indexers and forwarders by editing the limits.conf file. The parallelIngestionPipelines setting cannot be adjusted on the search head or the cluster master, because they are not involved in the data ingestion and indexing process.
A, B
Explanation:
The parallelIngestionPipelines setting can be adjusted on the indexers and forwarders to improve Splunk performance. The parallelIngestionPipelines setting determines how many concurrent data pipelines are used to process the incoming data. Increasing the parallelIngestionPipelines setting can improve the data ingestion and indexing throughput, especially for high-volume data sources. The parallelIngestionPipelines setting can be adjusted on the indexers and forwarders by editing the limits.conf file. The parallelIngestionPipelines setting cannot be adjusted on the search head or the cluster master, because they are not involved in the data ingestion and indexing process.
Question #18
A customer has a four site indexer cluster. The customer has requirements to store five copies of searchable data, with one searchable copy of data at the origin site, and one searchable copy at the disaster recovery site (site4).
Which configuration meets these requirements?
- A . site_replication_factor = origin:2, site4:l, total:3
- B . site_replication_factor = origin:l, site4:l, total:5
- C . site_search_factor = origin:2, site4:l, total:3
- D . site search factor = origin:1, site4:l, total:5
Correct Answer: B
B
Explanation:
The correct configuration to meet the customer’s requirements is site_replication_factor = origin:1, site4:1, total:5. This means that each bucket will have one copy at the origin site, one copy at the disaster recovery site (site4), and three copies at any other sites. The total number of copies will be five, as required by the customer. The site_replication_factor determines how many copies of each bucket are stored across the sites in a multisite indexer cluster1. The site_search_factor determines how many copies of each bucket are searchable across the sites in a multisite indexer cluster2. Therefore, option B is the correct answer, and options A, C, and D are incorrect.
1: Configure the site replication factor 2: Configure the site search factor
B
Explanation:
The correct configuration to meet the customer’s requirements is site_replication_factor = origin:1, site4:1, total:5. This means that each bucket will have one copy at the origin site, one copy at the disaster recovery site (site4), and three copies at any other sites. The total number of copies will be five, as required by the customer. The site_replication_factor determines how many copies of each bucket are stored across the sites in a multisite indexer cluster1. The site_search_factor determines how many copies of each bucket are searchable across the sites in a multisite indexer cluster2. Therefore, option B is the correct answer, and options A, C, and D are incorrect.
1: Configure the site replication factor 2: Configure the site search factor
Question #19
Other than high availability, which of the following is a benefit of search head clustering?
- A . Allows indexers to maintain multiple searchable copies of all data.
- B . Input settings are synchronized between search heads.
- C . Fewer network ports are required to be opened between search heads.
- D . Automatic replication of user knowledge objects.
Correct Answer: D
D
Explanation:
According to the Splunk documentation1, one of the benefits of search head clustering is the automatic replication of user knowledge objects, such as dashboards, reports, alerts, and tags. This ensures that all cluster members have the same set of knowledge objects and can serve the same search results to the users. The other options are false because:
Allowing indexers to maintain multiple searchable copies of all data is a benefit of indexer clustering, not search head clustering2.
Input settings are not synchronized between search heads, as search head clusters do not collect data from inputs. Data collection is done by forwarders or independent search heads3.
Fewer network ports are not required to be opened between search heads, as search head clusters use several ports for communication and replication among the members4.
D
Explanation:
According to the Splunk documentation1, one of the benefits of search head clustering is the automatic replication of user knowledge objects, such as dashboards, reports, alerts, and tags. This ensures that all cluster members have the same set of knowledge objects and can serve the same search results to the users. The other options are false because:
Allowing indexers to maintain multiple searchable copies of all data is a benefit of indexer clustering, not search head clustering2.
Input settings are not synchronized between search heads, as search head clusters do not collect data from inputs. Data collection is done by forwarders or independent search heads3.
Fewer network ports are not required to be opened between search heads, as search head clusters use several ports for communication and replication among the members4.
Question #20
Users are asking the Splunk administrator to thaw recently-frozen buckets very frequently.
What could the Splunk administrator do to reduce the need to thaw buckets?
- A . Change f rozenTimePeriodlnSecs to a larger value.
- B . Change maxTotalDataSizeMB to a smaller value.
- C . Change maxHotSpanSecs to a larger value.
- D . Change coldToFrozenDir to a different location.
Correct Answer: A
A
Explanation:
The correct answer is
A
Explanation:
The correct answer is