Splunk SPLK-2002 Splunk Enterprise Certified Architect Exam Practice Test

Answer : B, C

A multi-site indexer cluster can be configured by directly editing SPLUNK_HOME/etc/system/local/server.conf or running a splunk edit cluster-config command from the CLI. These methods allow the administrator to specify the site attribute for each indexer node and the site_replication_factor and site_search_factor for the cluster. Configuring a multi-site indexer cluster via Splunk Web or directly editing SPLUNK_HOME/etc/system/default/server.conf are not supported methods. For more information, seeConfigure the indexer cluster with server.confin the Splunk documentation.

Answer : A, B

The following statements describe licensing in a clustered Splunk deployment: Free licenses do not support clustering, and replicated data does not count against licensing. Free licenses are limited to 500 MB of daily indexing volume and do not allow distributed searching or clustering. To enable clustering, a license with a higher volume limit and distributed features is required. Replicated data is data that is copied from one peer node to another for the purpose of high availability and load balancing. Replicated data does not count against licensing, because it is not new data that is ingested by Splunk. Only the original data that is indexed by the peer nodes counts against licensing. Each cluster member does not require its own clustering license, because clustering licenses are shared among the cluster members.Cluster members must share the same license pool and license master, because the license master is responsible for distributing licenses to the cluster members and enforcing the license limits

Answer : D

The AggregatorMiningProcessor component in the splunkd.log file will log information related to bad event breaking. The AggregatorMiningProcessor is responsible for breaking the incoming data into events and applying the props.conf settings. If there is a problem with the event breaking, such as incorrect timestamps, missing events, or merged events, the AggregatorMiningProcessor will log the error or warning messages in the splunkd.log file. The Audittrail component logs information about the audit events, such as user actions, configuration changes, and search activity. The EventBreaking component logs information about the event breaking rules, such as the LINE_BREAKER and SHOULD_LINEMERGE settings. The IndexingPipeline component logs information about the indexing pipeline, such as the parsing, routing, and indexing phases. For more information, seeAbout Splunk Enterprise loggingand [Configure event line breaking] in the Splunk documentation.

Answer : C

According to the Splunk documentation1, the CHARSET setting in props.conf specifies the character set encoding of the source data. This setting has the least impact on indexing performance, as it only affects how Splunk interprets the bytes of the data, not how it processes or transforms the data. The other options are false because:

The SHOULD_LINEMERGE setting in props.conf determines whether Splunk breaks events based on timestamps or newlines.This setting has a significant impact on indexing performance, as it affects how Splunk parses the data and identifies the boundaries of the events2.

The TRUNCATE setting in props.conf specifies the maximum number of characters that Splunk indexes from a single line of a file.This setting has a moderate impact on indexing performance, as it affects how much data Splunk reads and writes to the index3.

The TIME_PREFIX setting in props.conf specifies the prefix that directly precedes the timestamp in the event data.This setting has a moderate impact on indexing performance, as it affects how Splunk extracts the timestamp and assigns it to the event

Answer : C

Decreasing the data model acceleration range will reduce the disk size requirements for a cluster of indexers running Splunk Enterprise Security. Data model acceleration creates tsidx files that consume disk space on the indexers. Reducing the acceleration range will limit the amount of data that is accelerated and thus save disk space. Setting the cluster search factor or replication factor to N-1 will not reduce the disk size requirements, but rather increase the risk of data loss. Increasing the number of buckets per index will also increase the disk size requirements, as each bucket has a minimum size. For more information, seeData model accelerationandBucket sizein the Splunk documentation.

Answer : B

Thedeployeris a Splunk Enterprise instance that distributes apps and other configurations to the members of asearch head cluster1.

The deployercannotshare functionality with any other Splunk Enterprise instance, including thelicense master, themaster node, or themonitoring console2.

However, thesearch head cluster memberscan share functionality with themaster nodeand themonitoring console, as long as they are not designated as thecaptainof the cluster3.

Therefore, the correct answer is B. License master, as it is the only instance that cannot share functionality with the deployer under any circumstances.

Answer : C

According to the Splunk documentation1, when migrating an indexer cluster from single-site to multi-site, you must remove the existing single-site attributes from the server.conf file of each peer node. These attributes include replication_factor, search_factor, and cluster_label. You must also restart each peer node after removing the attributes. The other options are false because:

Multi-site policies will apply only to the data created after migration, unless you configure the manager node to convert legacy buckets to multi-site1.

All peer nodes do not need to run the same version of Splunk, as long as they are compatible with the manager node2.

Single-site buckets can be converted to multi-site buckets by changing the constrain_singlesite_buckets setting in the manager node's server.conf file to 'false'1.