Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Splunk
  5. SPLK-2002

Splunk SPLK-2002 Exam Questions
Splunk Enterprise Certified Architect (Page 3 )

Updated On: 21-Feb-2026
Page 3 of 33
PDF with 172 Questions

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

  1. Distributes apps to SHC members.
  2. Bootstraps a clean Splunk install for a SHC.
  3. Distributes non-search-related and manual configuration file changes.
  4. Distributes runtime knowledge object changes made by users across the SHC.

Answer(s): A,C

Explanation:

The deployer distributes apps and non-search related and manual configuration file changes to the search head cluster members. The deployer does not bootstrap a clean Splunk install for a search head cluster, as this is done by the captain. The deployer also does not distribute runtime knowledge object changes made by users across the search head cluster, as this is done by the replication factor. For more information, see Use the deployer to distribute apps and configuration updates in the Splunk documentation.



When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

  1. Auto
  2. None
  3. True
  4. False

Answer(s): D

Explanation:

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to false. This tells Splunk not to merge events that have been broken by the LINE_BREAKER. Setting the SHOULD_LINEMERGE attribute to true, auto, or none will cause Splunk to ignore the LINE_BREAKER and merge events based on other criteria. For more information, see Configure event line breaking in the Splunk documentation.



Which of the following should be included in a deployment plan?

  1. Business continuity and disaster recovery plans.
  2. Current logging details and data source inventory.
  3. Current and future topology diagrams of the IT environment.
  4. A comprehensive list of stakeholders, either direct or indirect.

Answer(s): A,B,C

Explanation:

A deployment plan should include business continuity and disaster recovery plans, current logging details and data source inventory, and current and future topology diagrams of the IT environment. These elements are essential for planning, designing, and implementing a Splunk deployment that meets the business and technical requirements. A comprehensive list of stakeholders, either direct or indirect, is not part of the deployment plan, but rather part of the project charter. For more information, see Deployment planning in the Splunk documentation.



A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

  1. Via Splunk Web.
  2. Directly edit SPLUNK_HOME/etc./system/local/server.conf
  3. Run a Splunk edit cluster-config command from the CLI.
  4. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Answer(s): B,C

Explanation:

A multi-site indexer cluster can be configured by directly editing SPLUNK_HOME/etc/system/local/server.conf or running a splunk edit cluster-config command from the CLI. These methods allow the administrator to specify the site attribute for each indexer node and the site_replication_factor and site_search_factor for the cluster. Configuring a multi-site indexer cluster via Splunk Web or directly editing SPLUNK_HOME/etc/system/default/server.conf are not supported methods. For more information, see Configure the indexer cluster with server.conf in the Splunk documentation.



Which index-time props.conf attributes impact indexing performance? (Select all that apply.)

  1. REPORT
  2. LINE_BREAKER
  3. ANNOTATE_PUNCT
  4. SHOULD_LINEMERGE

Answer(s): B,D

Explanation:

The index-time props.conf attributes that impact indexing performance are LINE_BREAKER and SHOULD_LINEMERGE. These attributes determine how Splunk breaks the incoming data into events and whether it merges multiple events into one. These operations can affect the indexing speed and the disk space consumption. The REPORT attribute does not impact indexing performance, as it is used to apply transforms at search time. The ANNOTATE_PUNCT attribute does not impact indexing performance, as it is used to add punctuation metadata to events at search time. For more information, see [About props.conf and transforms.conf] in the Splunk documentation.






Post your Comments and Discuss Splunk SPLK-2002 exam dumps with other Community members:

Join the SPLK-2002 Discussion