Splunk Architect Exam Study Guide
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/95
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
96 Terms
Which of the following statements are true regarding multisite indexer clusters?
A. Each site has its own set of peer nodes, but they all use the same search heads
B. Each site also obeys site-specific replication and search factor rules
C. The cluster administrator defines the "sites"
D. B&C
E. All of the above
F. None of the above
D
_________ controls and manages index replication, as well as distributes apps and configurations.
A. Deployment Server
B. Deployer Server
C. Master Node
D. Peer Nodes
C
Peer nodes index data from inputs/forwarders and replicates data to other peer nodes as instructed by the deployment server.
True or False?
False , (as instructed by Master Node)
Multisite clusters offer two key benefits: Disaster Recovery and Search Affinity.
True or False?
True
There can be only one Master Node, even in a multisite cluster.
True or False?
True
Which of the following are true statements about how a master node manages an index cluster?
A. Coordinates the replicating activities of the peer nodes
B. Tells search heads where to find the data
C. Orchestrates remedial activities if a peer becomes unavailable
D. B&C
E. All of the above
E
The cluster will continue to operate while the Master Node is offline.
True or False?
True
Which of the following are true statements regarding Replication Factor (RF)? (Select all that apply)
A. Specifies how many copies will be searchable
B. Specifies how many total copies of rawdata the cluster can maintain
C. Sets the total failure tolerance level
D. Determines how quickly you can recover the search capability
B C
Which of the following are true statements regarding Search Factor (SF)? (Select all that apply)
A. Specifies how many copies will be searchable
B. Specifies how many total copies of rawdata the cluster can maintain
C. Sets the total failure tolerance level
D. Determines how quickly you can recover the search capability
A D
For indexer clustering, multisite mode requires at least __ peer nodes per site in multisite mode.
A. 3
B. 2
C. 4
D. 1
B
For indexer clustering, best practice for a single-site mode is to have at least _______ nodes as a minimum.
A. RF+1
B. RF+2
C. SF+1
D. SF+2
A
Regarding Remote Storage/SmartStore, hot buckets and warm buckets are stored remotely and retrieved using the cache manager.
True or False?
False
Regarding SmartStore and index clustering, the indexer cluster can recover all of its warm bucket data even when the number of failed nodes equals or exceeds the replication factor.
True or False?
True
All search heads in a cluster must have matching hardware specs.
True or False?
True
You can run the same searches, view the same dashboards and access the same search results from any search head in a cluster.
True or False?
True
For Search Head clustering, the requirements include at least ___ search heads and a _________.
A. 2, deployment server
B. 3, deployment server
C. 2, deployer
D. 3, deployer
D - 3, deployer
Regarding Search Head clustering, the sizing guidelines for a ________ states that it must have sufficient CPU and network resources to service requests and to push configurations.
A. Search head
B. Deployment server
C. Deployer server
D. None of the above
C
For Search Head clustering, the summary indexes must be forwarded to the indexer tier.
True or False?
True
What are two ways to send/move data to other systems via Splunk?
(Select all that apply)
A. TCP
B. Email
C. Copy/Paste
D. Scheduled Searches
E. All of the above
A D
When forwarding data to other systems via TCP, Splunk is unable to send raw text or syslog.
True or False?
False - TCP sends raw text and syslog data
Hadoop searches only work in _________ installs.
A. Windows
B. DOS
C. Town OS by Fujitsu
D. Linux
D
Splunk Analytics for Hadoop requires at least 2 Search Heads to access both Splunk index and HDFS.
True or False?
False: Accesses both Splunk indexes & HDFS from single SH
Search Extensibility includes:
(Select all that apply)
A. Indexers
B. Custom Search commands
C. Workflow Actions
D. Custom Navigation
E. Universal Forwarders
F. Scripted lookups
B C D F
The benefits of deferred processing on raw events until search time include:
A. increase in indexing speed
B. original data is persisted
C. parsing problems require reloading
D. system is resilient to change
A B D
What types of indexes can be created in Splunk?
A. Internal Indexes
B. Metrics Indexes
C. Events Indexes
D. Cluster Indexes
B C
An efficient data structure that provides 100% certainty that a search term is not in a bucket.
A. Meta filters
B. Bloom filters
C. Bloom index
D. Inverted index
B
What data structure maps keywords to their locations in the rawdata.
A. Index filter
B. Bloom index
C. Meta index
D. Inverted index
D
To save disk space and reduce bucket size you can enable tsidx reduction by setting attribute timePeriodInSecBeforeTsidxReduction in:
A. indexes.conf
B. props.conf
C. limits.conf
D. metrics.conf
A
To estimate Indexing input volume and data capacity utilize the following metrics:
(Select all that apply)
A. Verify raw log sizes
B. Daily, peak, retained and future volume
C. Total number of data sources
D. Total number of hosts
A B C D
Syslog data is estimated to be 50% of it's original data size after compression divided between the index files in the following ratio:
A. rawdata 35%, tsidx 15%
B. rawdata 15%, tsidx 35%
C. rawdata 40%, tsidx 10%
D. rawdata 10%, tsidx 40%
B
Splunk apps are often chosen based on:
A. Devices or technologies in the production environment
B. Use cases
C. Inputs
D. Cost
A B C
All retention settings apply on a per-index basis and all data sources within an index should have the same retention.
True or False?
True
In order to improve performance, high-volume data sources should be paired with a low-volume data source index.
True or False?
False: create a separate index for high-volume data source
Use a Heavy Forwarder when:
A. Advanced event level routing is needed
B. Filtering more than 80% of incoming events
C. Anonymizing or masking data before forwarding to indexer
D. UI is needed
E. Predictable version of Python needed
F. Required by an App/Modular input - HEC, DBX, CheckpointOPSEC LEA
G. B & C
H. All the Above
H. All of the above
Forwarders automatically load balance over available indexers.
True or False?
True , AutoLB is enabled by default in Splunk 6.6 & newer. For Splunk 6.5 & older enable "forceTimebasedAutoLB" or set the EVENT_BREAKER_ENABLE = TRUE and EVENT_BREAKER = "....regex" in the sourcetype stanza.
What is the default throughput setting for a UF? How do you evaluate the value? Name the .conf file that should be used in order to increase the value for high velocity sources.
A. 256KBps, value=ratio of forwarders to indexers, server.conf
B. 512KBps, value = ratio of indexers to forwarders, limits.conf
C. 256KBps, value=ratio of forwarders to indexers, limits.conf,
D. 512KBps, value=ratio of forwarders to indexers, server.conf
C
You should store configurations in $SPLUNK_HOME /etc/system/local on deployment clients.
True or False?
False , You should NOT store .conf files in /etc/system/local because system-level configurations on clients cannot be over-ridden with Deployment Server.
You should build an install script/package for clients with only the files needed to contact the DS (basic installation + deploymentclient.conf), as clients will get the rest of the configuration information from the DS.
True or False?
True
Deployer supports both push and pull mechanisms. Push apps to SH cluster members and Polled by new or restarted SH cluster members for updates.
True or False?
True
You can use the deployment server to directly distribute apps to peer nodes or SHC members.
True or False?
False , Deployment Server is used to push apps to forwarders. Deployer is used to push apps to SHC cluster members.
Use Health Check for a high-level summary of your system's performance.
True or False?
True
For performance monitoring and tuning your splunk environment, you can improve performance by using limits.conf
True or False?
True , for example, You can set multiple search pipelines if you have unused CPU/memory resources using "batch_search_max_pipeline = 2" in [search] stanza.
Some best practices for Bucket Limit Size are:
A. Having small buckets & Having many buckets within the index cluster
B. Increase bucket size from 750MB to 10GB
C. Keep the # of buckets (source and replicas) under tested limits when using IDX clustering
D. B&C
E. None of the above
D. B&C , while small buckets can be better for search, having large number of these buckets present a challenge with IDX clustering.
Increase the bucket limit size to prevent high-volume indexes from bucket explosion.
If the the punct field is being used, set the annotate_punct = false in props.conf
True or False?
False , DO NOT set the annotate_punct = false.
If this is disabled, the punct field will no longer be available.
Understand the use cases before turning off the punct field.
line_breaker= in props.conf goes hand-in-hand with should_linemerge=
True or False?
True
tz= in props.conf will automatically include the timezone of the UF.
True or False?
True , if you are not using the UF, it is important to include the timezone in your configs so that time is displayed properly.
For improved search performance:
(Select all that apply)
A. Make sure the disk I/O is good. Increase CPU h/w only if needed
B. Add additional search peers (indexers)
C. Analyze the resource consumption on both the indexer and search tier to diagnose slow searches
D. Rebalance buckets (only available in indexer clustering)
E. B & D
F. All of the above
F
If an app contains large files that do not need to be shared with the indexers, then you can blacklist large lookup files.
True or False?
True
Basic sizing considerations of your Splunk deployment should include:
(Select all that apply)
A. Amount of incoming and stored data.
B. Number of concurrent users.
C. Types of searches.
D. Number of scheduled searches
E. Acceleration
F. Specific Splunk apps
G. The disk write speed of hard drives.
A B C D E F
To get the most IOPS choose hard drives with:
A. Data acceleration capability.
B. High rotational speeds.
C. Preinstalled indexes.
D. Low average latency and seek times.
B D
The most suitable choice for hot and warm bucket storage are SAN and NAS disks.
True or False?
False: Suitable for cold buckets (colddb)
The foundation for a solid Splunk deployment include:
A. A high latency network.
B. NTP for time synchronization.
C. Turning on Transparent Hub Pages
D. Decreasing Linux ulimit settings.
B. NTP for time synchronization.
Also: solid DNS, Low latency, Turn off THP & Increase ulimit
The minimum hardware requirements for an Indexer are 12 CPU cores at 2+ GHz and 12GB RAM.
True or False?
True
Additional Components - Sizing
License Master - CPU ____, Memory ____, Disk ____, Network ____
Deployment Server - CPU ____, Memory ____, Disk ____, Network ____
Master Node - CPU ____, Memory ____, Disk ____, Network ____
Deployer - CPU ____, Memory ____, Disk ____, Network ____
low, med OR high
256kbps, 512kbps OR 1Gb
License Master - CPU low, Memory low, Disk low, Network 1GB
Deployment Server - CPU med, Memory med, Disk low, Network 1Gb
Master Node - CPU med, Memory med, Disk low, Network 1Gb
Deployer - CPU low, Memory low, Disk low, Network 1Gb
ES considerations for sizing & topology
A. Shared SH & other roles
B. Dedicated SH
C. SH Cluster
D. 12 CPU / 16GB RAM
E. 16 CPU / 32GB RAM
F. One indexer per 500GB
G. One indexer per 100GB
B, C, E, G
ITSI considerations for sizing & topology
A. Shared SH & other roles
B. Dedicated SH / SH Cluster - optional
C. Dedicated SH / SH Cluster - Required
D. SH's 8 CPU / 8GB RAM
E. SH's 12 CPU / 12GB RAM
F. Indexers 12 CPU / 12GB RAM
G. Indexers 16/32 CPU physical/logical / 32GB RAM
B, E, G
HTTPS transport is not available end-to-end
True or False?
False - It IS available end-to-end
Create own Certs, Distributed search, Forwarder to indexer over TCP, Web browser access to Splunk Web.
HTTPS transport is enabled by default between SH & Indexer in Distributed Search?
True or False?
True
You should't use Indexer Acknowledgement as a Best Practice?
True or False?
False - USE IT!!
Index Splunk's configs & logs to track changes?
True or False?
True
The types of searches that can be invoked against data stored in Splunk include:
(Select all that apply)
A. Sparse
B. Super-sparse
C. Dense
D. Rare
A B C D
To scale capacity, increase daily indexing volume and speed up searches add additional auto load balanced forwarders.
True or False?
False: Add indexers to scale; When using multiple indexers, use built-in forwarder load balancing & Use Distributed Search; when in doubt, add another commodity indexer
If indexer hardware is being underutilized you can configure multiple pipeline sets in server.conf by increasing the parallelIngestionPipelines attribute.
True or False?
True
Disk storage is primarily determined by the following factors:
(Select all that apply)
A. Size of all indexes.
B. OS and configuration files.
C. Indexer clustering replication.
D. Summarization & Acceleration.
A B C D
The minimum hardware requirements for a Search Head are 16 CPU cores at 2+ GHz, 12GB RAM and 2 x 300GB, 8,000 RPM SAS hard disks in RAID 1 configuration.
True or False?
False: 10,000 RPM SAS HDs
The recommendation for a Splunk environment with 22 concurrent users, ingesting 1.5 TB of data a day would be:
A. 1 SH, 8 indexers
B. 2 SH, 12 Indexers
C. 3 SH, 21 Indexers
D. 4 SH, 4 Indexers
B
You can virtualize any Splunk instance if you meet the minimum resource requirements however you should expect virtualization to reduce performance by 10-15%.
True or False?
True
The distributed Monitoring Console should run a dedicated server following the reference guidelines for search heads while never being used as a production search head.
True or False?
True
By default, report accelerations can use an unlimited amount of space and are available to both the power user and user roles.
True or False?
True
The amount of space that a data model acceleration takes up on disk is related to:
A. The number of events you are collecting.
B. The summary range you have chosen.
C. The sized-based retention attribute set in indexes.conf.
D. The last time the acceleration was accessed.
A B C
Which role is responsible in facilitating discussions and documentation to obtain funding for potential infrastructure expansion?
A. Admin
B. Program Manager
C. Architect & Admin
D. Architect
B
The Admin role is responsible for Capacity Planning.
True or False?
False: Architect
Which role is needed for deploying Splunk to new environments?
A. Admin
B. Architect & Admin
C. Program Manager
D. Architect
D
Select the role(s) that is responsible for the management of Splunk Deployments:
A. Architect
B. Admin
C. Architect & Admin
D. All the Above
D
The Splunk Deployment Problem Management responsibility belongs to this role:
A. Architect
B. Admin
C. Program Manager
D. Architect & Admin
B
The responsible party during the implementation of High Availability/Disaster Recovery is:
A. Architect
B. Admin
C. Program Manager
D. Architect & Admin
A
The ____ role Documents installation steps, support procedures, backup and recovery etc.
A. Architect
B. Admin
C. Program Manager
D. Architect & Admin
A
The ______ works with prospective Splunk teams or users to discuss problems and business domains in identifying the opportunity to utilize Splunk.
A. Architect
B. Admin
C. Program Manager
D. Architect & Admin
A
The Deployment Scaling plan creates a solid foundation for:
A. Scaling deployments as they evolve
B. Automating SPL search
C. Creating realtime Dashboards
D. Implementing large enterprise deployments
A D
Select what should be included in a deployment plan:
(Select all that apply)
A. Deployment Goals
B. User Roles
C. Data Source Inventory and Data Policy Definition
D. Splunk Deployment topology and Current Topology Diagrams
E. Suggested Splunk Apps
F. Education / Training Plan
G. Deployment Schedule
A B C D E F G
During the Splunk Deployment Process of Planning and Building, Splunk Admin Training along with Hardware Procurement is recommended.
True or False?
True
During the Splunk Deployment Process of Data Acquisition, having the Infrastructure Build Complete is required?
True or False?
False , Infrastructure Build Complete is recommended in the Infrastructure Splunk Deployment Process
During the Deployment Process of User planning and roll out for Use Case and Staffing, select all of the recommended tasks:
A. Forwarder Allocation
B. Role User Based Training
C. Identify data Sources
D. Validate Data Sources
E. Administrator and Architect Tasks
B E
"Identify requirements" is the first step in the Splunk deployment.
True or False?
True
Before Architecting a Splunk environment, select all of the raw materials needing during the beginning of the deployment:
A. Goals
B. Users
C. Current Environment
D. Network Collection
E. Expected daily data ingestion
F. Data Sources
G. Host Collection
A B C E F
When architecting a Splunk environment what are the current overall IT topologies:
(Select all that apply)
A. Location of users
B. Out of Network
C. Number and type of servers
D. Network Zones
E. Data Centers
F. Point-to-Point
A C D E
When obtaining a Network Diagram, a Splunk Architect should verify if there are security restrictions in the DataCenter and Network Zones.
True or False?
True
It Is recommended to request information about the network bandwidth among the DataCenter and Network Zones.
True or False?
True
List the General Requirements to make note of before Architecting a Splunk Environment:
(Select all that apply)
A. Security Restrictions
B. Regulatory Rules
C. Infrastructure Planning
D. High Availability or Disaster Recovery Plan
A B D
While Architecting a new Environment, what are the recommended actions you should consider during the implementation of Data Sources?
A. Location of Data
B. Data Policy — retention of data
C. Handout
D. Data Source Inventory — amount of data generated
B C D
Splunk Troubleshooting approach includes the following steps: (Select all that apply)
A. Submit a case
B. Clarify the problem
C. Solve the problem
D. Schedule the problem
E. Confirm the problem
A B E
When clarifying the problem, you should define the problem in one single statement and investigate one issue at a time. What are the facts that must be gathered?
(Select all that apply)
A. Environment - Splunk OS and Version
B. Temperature surrounding the DataCenter
C. Baseline - what's working and what's not
D. EXACT Search term and time range
E. What changed?
F. Changes in executive, non-user level of employees
A C D E
What steps are required when confirming the problem?
(Select all that apply)
A. Type of issue - symptoms, common problems
B. Type of person - emotional, smart, non-technical
C. Type of Splunk tools to help diagnose problem
D. Type of Windows to work with DB Connect
E. Type of log channels to diagnose problem
F. Manually verify problem - reproducible or intermittent
A C E F
In Splunk Problem classification, Core items include:
(Select all that apply)
A. Installation
B. Dashboard/Views
C. Crashes
D. Search Peers
E. OS Issues
F. REST API/SDK
A C E F
In Splunk Problem classification, Performance items include: (Select all that apply)
A. Usernames
B. Expectations
C. Tailgating
D. Tuning
E. Search Head Acceleration
B D