Splunk splk-2002 practice test

Splunk Enterprise Certified Architect Exam


Question 1

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage
solution for each deployment. Which of the following statements is accurate about disk storage?

  • A. High performance SAN should never be used.
  • B. Enable NFS for storing hot and warm buckets.
  • C. The recommended RAID setup is RAID 10 (1 + 0).
  • D. Virtualized environments are usually preferred over bare metal for Splunk indexers.
Answer:

C

Discussions

Question 2

Which of the following tasks should the architect perform when building a deployment plan? (Select
all that apply.)

  • A. Use case checklist.
  • B. Install Splunk apps.
  • C. Inventory data sources.
  • D. Review network topology.
Answer:

D

Discussions

Question 3

Which of the following statements describe search head clustering? (Select all that apply.)

  • A. A deployer is required.
  • B. At least three search heads are needed.
  • C. Search heads must meet the high-performance reference server requirements.
  • D. The deployer must have sufficient CPU and network resources to process service requests and push configurations.
Answer:

A,C

Discussions

Question 4

What is the logical first step when starting a deployment plan?

  • A. Inventory the currently deployed logging infrastructure.
  • B. Determine what apps and use cases will be implemented.
  • C. Gather statistics on the expected adoption of Splunk for sizing.
  • D. Collect the initial requirements for the deployment from all stakeholders.
Answer:

D

Discussions

Question 5

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that
apply.)

  • A. Use TCP syslog.
  • B. Configure UDP inputs on each Splunk indexer to receive data directly.
  • C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.
  • D. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.
Answer:

C,D

Discussions

Question 6

When Splunk is installed. where are the internal indexes stored by default?

  • A. SPLUNK_HOME/bin
  • B. SPLUNK_HOME/var/lib
  • C. SPLUNK_HOME/var/run
  • D. SPLUNK_HOME/etc/system/default
Answer:

B

Discussions

Question 7

What is a Splunk Job? (Select all that apply.)

  • A. A user-defined Splunk capability.
  • B. Searches that are subjected to some usage quota.
  • C. A search process kicked off via a report or an alert.
  • D. A child OS process manifested from the splunkd process.
Answer:

A

Discussions

Question 8

What is the default log size for Splunk internal logs?

  • A. 10MB
  • B. 20 MB
  • C. 25MB
  • D. 30MB
Answer:

C

Discussions

Question 9

Which two sections can be expanded using the Search Job Inspector?

  • A. Execution costs.
  • B. Saved search history.
  • C. Search job properties.
  • D. Optimization suggestions.
Answer:

B,C

Discussions

Question 10

A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot
see that field in their search results with events known to have src_ip. Which of the following may
explain the problem? (Select all that apply.)

  • A. The field was extracted as a private knowledge object.
  • B. The events are tagged as communicate, but are missing the network tag.
  • C. The Typing Queue, which does regular expression replacements, is blocked.
  • D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.
Answer:

D

Discussions
To page 2