Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
ServiceNow®
All Vendors
  2. Home
  3. Exams
  4. Splunk®
  5. SPLK-2002

Free Splunk® SPLK-2002 Exam Questions (page: 3)

Page 3 of 21
PDF with 197 Questions

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

  1. Via Splunk Web.
  2. Directly edit SPLUNK_HOME/etc./system/local/server.conf
  3. Run a Splunk edit cluster-config command from the CLI.
  4. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Answer(s): B,C

Explanation:

A multi-site indexer cluster can be configured by directly editing SPLUNK_HOME/etc/system/local/server.conf or running a splunk edit cluster-config command from the CLI. These methods allow the administrator to specify the site attribute for each indexer node and the site_replication_factor and site_search_factor for the cluster. Configuring a multi-site indexer cluster via Splunk Web or directly editing SPLUNK_HOME/etc/system/default/server.conf are not supported methods. For more information, see Configure the indexer cluster with server.conf in the Splunk documentation.



Which index-time props.conf attributes impact indexing performance? (Select all that apply.)

  1. REPORT
  2. LINE_BREAKER
  3. ANNOTATE_PUNCT
  4. SHOULD_LINEMERGE

Answer(s): B,D

Explanation:

The index-time props.conf attributes that impact indexing performance are LINE_BREAKER and SHOULD_LINEMERGE. These attributes determine how Splunk breaks the incoming data into events and whether it merges multiple events into one. These operations can affect the indexing speed and the disk space consumption. The REPORT attribute does not impact indexing performance, as it is used to apply transforms at search time. The ANNOTATE_PUNCT attribute does not impact indexing performance, as it is used to add punctuation metadata to events at search time. For more information, see [About props.conf and transforms.conf] in the Splunk documentation.



Which of the following are client filters available in serverclass.conf? (Select all that apply.)

  1. DNS name.
  2. IP address.
  3. Splunk server role.
  4. Platform (machine type).

Answer(s): A,B,D

Explanation:

The client filters available in serverclass.conf are DNS name, IP address, and platform (machine type). These filters allow the administrator to specify which forwarders belong to a server class and receive the apps and configurations from the deployment server. The Splunk server role is not a valid client filter in serverclass.conf, as it is not a property of the forwarder. For more information, see [Use forwarder management filters] in the Splunk documentation.



What log file would you search to verify if you suspect there is a problem interpreting a regular expression in a monitor stanza?

  1. btool.log
  2. metrics.log
  3. splunkd.log
  4. tailing_processor.log

Answer(s): D

Explanation:

The tailing_processor.log file would be the best place to search if you suspect there is a problem interpreting a regular expression in a monitor stanza. This log file contains information about how Splunk monitors files and directories, including any errors or warnings related to parsing the monitor stanza. The splunkd.log file contains general information about the Splunk daemon, but it may not have the specific details about the monitor stanza. The btool.log file contains information about the configuration files, but it does not log the runtime behavior of the monitor stanza. The metrics.log file contains information about the performance metrics of Splunk, but it does not log the event breaking issues. For more information, see About Splunk Enterprise logging in the Splunk documentation.



Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?

  1. btool
  2. DiagGen
  3. SPL Clinic
  4. Monitoring Console

Answer(s): D

Explanation:

The Monitoring Console is the Splunk tool that offers a health check for administrators to evaluate the health of their Splunk deployment. The Monitoring Console provides dashboards and alerts that show the status and performance of various Splunk components, such as indexers, search heads, forwarders, license usage, and search activity. The Monitoring Console can also run health checks on the deployment and identify any issues or recommendations. The btool is a command-line tool that shows the effective settings of the configuration files, but it does not offer a health check. The DiagGen is a tool that generates diagnostic snapshots of the Splunk environment, but it does not offer a health check. The SPL Clinic is a tool that analyzes and optimizes SPL queries, but it does not offer a health check. For more information, see About the Monitoring Console in the Splunk documentation.



In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

  1. site_search_factor = origin:2, site1:2, total:4
  2. site_search_factor = origin:2, site2:1, total:4
  3. site_replication_factor = origin:2, site1:2, total:4
  4. site_replication_factor = origin:2, site2:1, total:4

Answer(s): B

Explanation:

In a four site indexer cluster, the configuration that stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies is site_search_factor = origin:2, site2:1, total:4. This configuration tells the cluster to maintain two copies of searchable data at the site where the data originates, one copy of searchable data at site2, and a total of four copies of searchable data across all sites. The site_search_factor determines how many copies of searchable data are maintained by the cluster for each site. The site_replication_factor determines how many copies of raw data are maintained by the cluster for each site. For more information, see Configure multisite indexer clusters with server.conf in the Splunk documentation.



Which of the following is true regarding Splunk Enterprise's performance? (Select all that apply.)

  1. Adding search peers increases the maximum size of search results.
  2. Adding RAM to existing search heads provides additional search capacity.
  3. Adding search peers increases the search throughput as the search load increases.
  4. Adding search heads provides additional CPU cores to run more concurrent searches.

Answer(s): C,D

Explanation:

The following statements are true regarding Splunk Enterprise performance:
Adding search peers increases the search throughput as search load increases. This is because adding more search peers distributes the search workload across more indexers, which reduces the load on each indexer and improves the search speed and concurrency. Adding search heads provides additional CPU cores to run more concurrent searches. This is because adding more search heads increases the number of search processes that can run in parallel, which improves the search performance and scalability. The following statements are false regarding Splunk Enterprise performance:
Adding search peers does not increase the maximum size of search results. The maximum size of search results is determined by the maxresultrows setting in the limits.conf file, which is independent of the number of search peers.
Adding RAM to an existing search head does not provide additional search capacity. The search capacity of a search head is determined by the number of CPU cores, not the amount of RAM. Adding RAM to a search head may improve the search performance, but not the search capacity. For more information, see Splunk Enterprise performance in the Splunk documentation.



Which Splunk Enterprise offering has its own license?

  1. Splunk Cloud Forwarder
  2. Splunk Heavy Forwarder
  3. Splunk Universal Forwarder
  4. Splunk Forwarder Management

Answer(s): C

Explanation:

The Splunk Universal Forwarder is the only Splunk Enterprise offering that has its own license. The Splunk Universal Forwarder license allows the forwarder to send data to any Splunk Enterprise or

Splunk Cloud instance without consuming any license quota. The Splunk Heavy Forwarder does not have its own license, but rather consumes the license quota of the Splunk Enterprise or Splunk Cloud instance that it sends data to. The Splunk Cloud Forwarder and the Splunk Forwarder Management are not separate Splunk Enterprise offerings, but rather features of the Splunk Cloud service. For more information, see [About forwarder licensing] in the Splunk documentation.



Viewing page 3 of 21
Viewing questions 17 - 24 out of 197 questions



Post your Comments and Discuss Splunk® SPLK-2002 exam prep with other Community members:

SPLK-2002 Exam Discussions & Posts