Splunk splk-2002 practice test

When configuring a Splunk indexer cluster, what are the default values for replication and search
factor?

• A. replication_factor = 2search_factor = 2
• B. replication_factor = 2search factor = 3
• C. replication_factor = 3search_factor = 2
• D. replication_factor = 3search factor = 3

Consider a use case involving firewall dat
a. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items
that must be evaluated before installing the add-on? (Select all that apply.)

• A. Identify number of scheduled or real-time searches.
• B. Validate if this Technical Add-On enables event data for a data model.
• C. Identify the maximum number of forwarders Technical Add-On can support.
• D. Verify if Technical Add-On needs to be installed onto both a search head or indexer.

In a distributed environment, knowledge object bundles are replicated from the search head to
which location on the search peer(s)?

• A. SPLUNK_HOME/var/lib/searchpeers
• B. SPLUNK_HOME/var/log/searchpeers
• C. SPLUNK_HOME/var/run/searchpeers
• D. SPLUNK_HOME/var/spool/searchpeers

How does the average run time of all searches relate to the available CPU cores on the indexers?

• A. Average run time is independent of the number of CPU cores on the indexers.
• B. Average run time decreases as the number of CPU cores on the indexers decreases.
• C. Average run time increases as the number of CPU cores on the indexers decreases.
• D. Average run time increases as the number of CPU cores on the indexers increases.

As a best practice, where should the internal licensing logs be stored?

• A. Indexing layer.
• B. License server.
• C. Deployment layer.
• D. Search head layer.

Which of the following statements about integrating with third-party systems is true? (Select all that
apply.)

• A. A Hadoop application can search data in Splunk.
• B. Splunk can search data in the Hadoop File System (HDFS).
• C. You can use Splunk alerts to provision actions on a third-party system.
• D. You can forward data from Splunk forwarder to a third-party system without indexing it first.

What is the algorithm used to determine captaincy in a Splunk search head cluster?

• A. Raft distributed consensus.
• B. Rapt distributed consensus.
• C. Rift distributed consensus.
• D. Round-robin distribution consensus.

Which of the following is an indexer clustering requirement?

• A. Must use shared storage.
• B. Must reside on a dedicated rack.
• C. Must have at least three members.
• D. Must share the same license pool.

Splunk configuration parameter settings can differ between multiple .conf files of the same name
contained within different apps. Which of the following directories has the highest precedence?

• A. System local directory.
• B. System default directory.
• C. App local directories, in ASCII order.
• D. App default directories, in ASCII order.

Which of the following should be done when installing Enterprise Security on a Search Head Cluster?
(Select all that apply.)

• A. Install Enterprise Security on the deployer.
• B. Install Enterprise Security on a staging instance.
• C. Copy the Enterprise Security configurations to the deployer.
• D. Use the deployer to deploy Enterprise Security to the cluster members.

When converting from a single-site to a multi-site cluster, what happens to existing single-site
clustered buckets?

• A. They will continue to replicate within the origin site and age out based on existing policies.
• B. They will maintain replication as required according to the single-site policies, but never age out.
• C. They will be replicated across all peers in the multi-site cluster and age out based on existing policies.
• D. They will stop replicating within the single-site and remain on the indexer they reside on and age out according to existing policies.

Of the following types of files within an index bucket, which file type may consume the most disk?

• A. Rawdata
• B. Bloom filter
• C. Metadata (.data)
• D. Inverted index (.tsidx)

When should multiple search pipelines be enabled?

• A. Only if disk IOPS is at 800 or better.
• B. Only if there are fewer than twelve concurrent users.
• C. Only if running Splunk Enterprise version 6.6 or later.
• D. Only if CPU and memory resources are significantly under-utilized.

Which of the following is a best practice to maximize indexing performance?

• A. Use automatic sourcetyping.
• B. Use the Splunk default settings.
• C. Not use pre-trained source types.
• D. Minimize configuration generality.

When troubleshooting monitor inputs, which command checks the status of the tailed files?

• A. splunk cmd btool inputs list | tail
• B. splunk cmd btool check inputs layer
• C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
• D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus