Splunk Enterprise Certified Architect SPLK-2002 Exam Questions

Answer : B

The correct configuration to meet the customer's requirements issite_replication_factor = origin:1, site4:1, total:5. This means that each bucket will have one copy at the origin site, one copy at the disaster recovery site (site4), and three copies at any other sites. The total number of copies will be five, as required by the customer.The site_replication_factor determines how many copies of each bucket are stored across the sites in a multisite indexer cluster1.The site_search_factor determines how many copies of each bucket are searchable across the sites in a multisite indexer cluster2. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Configure the site replication factor2: Configure the site search factor

Answer : D

When planning a search head cluster, the following statement is true: All indexers must belong to the underlying indexer cluster (no standalone indexers). A search head cluster is a group of search heads that share configurations, apps, and search jobs. A search head cluster requires an indexer cluster as its data source, meaning that all indexers that provide data to the search head cluster must be members of the same indexer cluster. Standalone indexers, or indexers that are not part of an indexer cluster, cannot be used as data sources for a search head cluster. All search heads do not have to use the same operating system, as long as they are compatible with the Splunk version and the indexer cluster. All search heads do not have to be members of the cluster, as standalone search heads can also search the indexer cluster, but they will not have the benefits of configuration replication and load balancing. The search head captain does not have to be assigned to the largest search head in the cluster, as the captain is dynamically elected from among the cluster members based on various criteria, such as CPU load, network latency, and search load.

Answer : B

The correct topology to ensure a scalable and performant deployment for the customer's use case istwo search head clusters, one for ITSI and one for ES. This configuration provides high availability, load balancing, and isolation for each Splunk app.According to the Splunk documentation1, ITSI and ES should not be installed on the same search head or search head cluster, as they have different requirements and may interfere with each other.Having two separate search head clusters allows each app to have its own dedicated resources and configuration, and avoids potential conflicts and performance issues1. The other options are not recommended, as they either have only one search head or search head cluster, which reduces the availability and scalability of the deployment, or they have both ITSI and ES installed on the same search head or search head cluster, which violates the best practices and may cause problems. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Splunk IT Service Intelligence and Splunk Enterprise Security compatibility

Answer : C

The Splunk Capacity Planning Manual defines the total required storage for indexes as a function of daily ingest rate, compression factor, retention period, and an additional padding buffer for index management and growth.

The formula is:

Storage = (Daily Data * Compression Factor * Retention Days) + Padding

Given the values:

Daily rate = 20 GB

Compression factor = 0.5 (50% reduction)

Retention period = 30 days

Padding = 100 GB

Plugging these into the formula gives:

20 * 0.5 * 30 + 100 = 400 GB

This result represents the estimated storage needed to retain 30 days of compressed indexed data with an additional buffer to accommodate growth and Splunk's bucket management overhead.

Compression factor values typically range between 0.5 and 0.7 for most environments, depending on data type. Using compression in calculations is critical, as indexed data consumes less space than raw input after Splunk's tokenization and compression processes.

Other options either misapply the compression ratio or the order of operations, producing incorrect totals.

Reference (Splunk Enterprise Documentation):

* Capacity Planning for Indexes -- Storage Sizing and Compression Guidelines

* Managing Index Storage and Retention Policies

* Splunk Enterprise Admin Manual -- Understanding Index Bucket Sizes

* Indexing Performance and Storage Optimization Guide

Answer : B

The splunk add cluster-master command is used to configure the same search head to join another indexer cluster. A search head can search multiple indexer clusters by adding multiple cluster-master entries in its server.conf file. The splunk add cluster-master command can be used to add a new cluster-master entry to the server.conf file, by specifying the host name and port number of the master node of the other indexer cluster. The splunk add cluster-config command is used to configure the search head to join the first indexer cluster, not the second one. The splunk edit cluster-config command is used to edit the existing cluster configuration of the search head, not to add a new one. The splunk edit cluster-master command does not exist, and it is not a valid command.

Answer : D

Splunk Deployment Server documentation clearly states that server class scalability is a primary factor in managing large numbers of forwarders. Each server class contains one or more apps and targets a set of deployment clients. Splunk recommends limiting the number of deployment clients per server class to maintain responsiveness and avoid configuration bottlenecks.

For large environments with tens of thousands of forwarders, Splunk explicitly advises splitting deployment clients across multiple server classes, typically in blocks of several thousand clients per class. This ensures that the Deployment Server can efficiently process configuration bundles, client check-ins, and app updates without delays or timeouts.

Increasing the phone-home interval (option A) may reduce check-in frequency but does not address server class scalability. Workload management (option B) is unrelated to Deployment Server operations. Reducing polling intervals (option C) actually increases load and is discouraged at scale.

Therefore, ensuring that server classes do not exceed approximately 5,000 deployment clients is the correct and recommended approach.

Splunk Deployment Server Manual; Forwarder Management at Scale; Deployment Server Performance Best Practices.

Answer : C

The _internal index contains license-related events, such as the license usage, the license quota, the license pool, the license stack, and the license violations. These events are logged by the license manager in the license_usage.log file, which is part of the _internal index. The _audit index contains audit events, such as user actions, configuration changes, and search activity. These events are logged by the audit trail in the audit.log file, which is part of the _audit index. The _license index does not exist in Splunk, as the license-related events are stored in the _internal index. The _introspection index contains platform instrumentation data, such as the resource usage, the disk objects, the search activity, and the data ingestion. These data are logged by the introspection generator in various log files, such as resource_usage.log, disk_objects.log, search_activity.log, and data_ingestion.log, which are part of the _introspection index. For more information, seeAbout Splunk Enterprise loggingand [About the _internal index] in the Splunk documentation.