Share the latest information you need to know for the splk-2002 exam and provide the latest exam questions and answers
Splunk Enterprise Certified Architect (splk-2002)
Showcase your understanding of best practices and the ability to deploy, manage and troubleshoot complex Splunk Enterprise environments.
Gain next-level Splunk Enterprise expertise
Establish a thorough understanding of Splunk Deployment Methodology and best practices for planning, data collection and sizing a distributed deployment. Manage and troubleshoot standard deployments with indexer and search head clustering.
Exam Details:
Level: Expert
Prerequisite certification:
Prerequisite coursework:
Architecting Splunk Enterprise Deployments
Troubleshooting Splunk Enterprise
Splunk Cluster Administration
Splunk Enterprise Deployment Practical Lab
Length: 90 minutes
Format: 85 multiple choice questions
Pricing: $130 USD per exam attempt
Delivery: Exam is given by our testing partner Pearson VUE
Preparation:
Latest splk-2002 exam questions online practice
Question 1:
In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?
A. SPLUNK_HOME/var/lib/searchpeers
B. SPLUNK_HOME/var/log/searchpeers
C. SPLUNK_HOME/var/run/searchpeers
D. SPLUNK_HOME/var/spool/searchpeers
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/Whatsearchheadssend
Question 2:
Which of the following is an indexer clustering requirement?
A. Must use shared storage.
B. Must reside on a dedicated rack.
C. Must have at least three members.
D. Must share the same license pool.
Correct Answer: D
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Distdeploylicenses
Question 3:
Which Splunk Enterprise offering has its own license?
A. Splunk Cloud Forwarder
B. Splunk Heavy Forwarder
C. Splunk Universal Forwarder
D. Splunk Forwarder Management
Correct Answer: C
Reference: https://docs.splunk.com/Splexicon:Forwardinglicense
Question 4:
Which command will permanently decommission a peer node operating in an indexer cluster?
A. splunk stop -f
B. splunk offline -f
C. splunk offline --enforce-counts
D. splunk decommission --enforce counts
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Takeapeeroffline
Question 5:
Indexing is slow and real-time search results are delayed in a Splunk environment with two indexers and one search head. There is ample CPU and memory available on the indexers. Which of the following is most likely to improve indexing performance?
A. Increase the maximum number of hot buckets in indexes.conf
B. Increase the number of parallel ingestion pipelines in server.conf
C. Decrease the maximum size of the search pipelines in limits.conf
D. Decrease the maximum concurrent scheduled searches in limits.conf
Correct Answer: D
Question 6:
In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?
A. site_search_factor = origin:2, site1:2, total:4
B. site_search_factor = origin:2, site2:1, total:4
C. site_replication_factor = origin:2, site1:2, total:4
D. site_replication_factor = origin:2, site2:1, total:4
Correct Answer: D
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Sitereplicationfactor
Question 7:
Which of the following is a best practice to maximize indexing performance?
A. Use automatic sourcetyping.
B. Use the Splunk default settings.
C. Not use pre-trained source types.
D. Minimize configuration generality.
Correct Answer: D
Question 8:
In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)
A. Use the Monitoring Console.
B. Use the Search Head Clustering settings menu from Splunk Web on any member.
C. Run the splunk transfer shcluster-captain command from the current captain.
D. Run the splunk transfer shcluster-captain command from the member you would like to become the captain.
Correct Answer: BD
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Transfercaptain
Question 9:
Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)
A. Use TCP syslog.
B. Configure UDP inputs on each Splunk indexer to receive data directly.
C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.
D. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.
Correct Answer: CD
Question 10:
Which of the following commands is used to clear the KV store?
A. splunk clean kvstore
B. splunk clear kvstore
C. splunk delete kvstore
D. splunk reinitialize kvstore
Correct Answer: A
Reference: https://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html
Question 11:
Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?
A. Data encryption between Splunk Web and splunkd.
B. Certificate authentication between forwarders and indexers.
C. Certificate authentication between Splunk Web and search head.
D. Data encryption for distributed search between search heads and indexers.
Correct Answer: B
Question 12:
Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?
A. Setting the cluster search factor to N-1.
B. Increasing the number of buckets per index.
C. Decreasing the data model acceleration range.
D. Setting the cluster replication factor to N-1.
Correct Answer: D
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements
Question 13:
Before users can use a KV store, an admin must create a collection. Where is a collection is defined?
A. kvstore.conf
B. collection.conf
C. collections.conf
D. kvcollections.conf
Correct Answer: C
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/ DefineaKVStorelookupinSplunkWeb
Question 14:
Configurations from the deployer are merged into which location on the search head cluster member?
A. SPLUNK_HOME/etc/system/local
B. SPLUNK_HOME/etc/apps/APP_HOME/local
C. SPLUNK_HOME/etc/apps/search/default
D. SPLUNK_HOME/etc/apps/APP_HOME/default
Correct Answer: A
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/ PropagateSHCconfigurationchanges
Question 15:
The frequency in which a deployment client contacts the deployment server is controlled by what?
A. polling_interval attribute in outputs.conf
B. phoneHomeIntervalInSecs attribute in outputs.conf
C. polling_interval attribute in deploymentclient.conf
D. phoneHomeIntervalInSecs attribute in deploymentclient.conf
Correct Answer: D
Reference: https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/RESTREF/RESTdeploy
The Splk-2002 dumps exam material contains 90 latest exam questions and answers. Use https://www.leads4pass.com/splk-2002.html to download the complete material to help candidates successfully pass the Splunk Enterprise Certified Architect exam.
Knowt
