SPLK-2002 | The Renew Guide To SPLK-2002 Free Exam

NEW QUESTION 1
When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

• A. replication_factor = 2search_factor = 2
• B. replication_factor = 2 searchfactor = 3
• C. replication_factor = 3search_factor = 2
• D. replication_factor = 3 searchfactor = 3

Answer: A

NEW QUESTION 2
Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

• A. Install Enterprise Security on the deployer.
• B. Install Enterprise Security on a staging instance.
• C. Copy the Enterprise Security configurations to the deployer.
• D. Use the deployer to deploy Enterprise Security to the cluster members.

Answer: AD

NEW QUESTION 3
Which of the following statements about integrating with third-party systems is true? (Select all that apply.)

• A. A Hadoop application can search data in Splunk.
• B. Splunk can search data in the Hadoop File System (HDFS).
• C. You can use Splunk alerts to provision actions on a third-party system.
• D. You can forward data from Splunk forwarder to a third-party system without indexing it first.

Answer: CD

NEW QUESTION 4
What is the default log size for Splunk internal logs?

• A. 10MB
• B. 20 MB
• C. 25MB
• D. 30MB

Answer: C

NEW QUESTION 5
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV
store will form?

• A. 25
• B. 50
• C. 100
• D. Unlimited

Answer: D

NEW QUESTION 6
Indexing is slow and real-time search results are delayed in a Splunk environment with two indexers and one search head. There is ample CPU and memory available on the indexers. Which of the following is most likely to improve indexing performance?

• A. Increase the maximum number of hot buckets in indexes.conf
• B. Increase the number of parallel ingestion pipelines in server.conf
• C. Decrease the maximum size of the search pipelines in limits.conf
• D. Decrease the maximum concurrent scheduled searches in limits.conf

Answer: D

NEW QUESTION 7
In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

• A. SPLUNK_HOME/var/lib/searchpeers
• B. SPLUNK_HOME/var/log/searchpeers
• C. SPLUNK_HOME/var/run/searchpeers
• D. SPLUNK_HOME/var/spool/searchpeers

Answer: C

NEW QUESTION 8
To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

• A. adhoc_searchhead = true (on all members)
• B. adhoc_searchhead = true (on the current captain)
• C. captain_is_adhoc_searchhead = true (on all members)
• D. captain_is_adhoc_searchhead = true (on the current captain)

Answer: D

NEW QUESTION 9
Which of the following is a good practice for a search head cluster deployer?

• A. The deployer only distributes configurations to search head cluster members when they “phone home”.
• B. The deployer must be used to distribute non-replicable configurations to search head cluster members.
• C. The deployer must distribute configurations to search head cluster members to be valid configurations.
• D. The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle.

Answer: A

NEW QUESTION 10
How does IT Service Intelligence (ITSI) impact the planning of a Splunk deployment?

• A. ITSI requires a dedicated deployment server.
• B. The amount of users using ITSI will not impact performance.
• C. ITSI in a Splunk deployment does not require additional hardware resources.
• D. Depending on the Key Performance Indicators that are being tracked, additional infrastructure may be needed.

Answer: D

NEW QUESTION 11
When troubleshooting monitor inputs, which command checks the status of the tailed files?

• A. splunk cmd btool inputs list | tail
• B. splunk cmd btool check inputs layer
• C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
• D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

Answer: C

NEW QUESTION 12
When should multiple search pipelines be enabled?

• A. Only if disk IOPS is at 800 or better.
• B. Only if there are fewer than twelve concurrent users.
• C. Only if running Splunk Enterprise version 6.6 or later.
• D. Only if CPU and memory resources are significantly under-utilized.

Answer: D

NEW QUESTION 13
What is a Splunk Job? (Select all that apply.)

• A. A user-defined Splunk capability.
• B. Searches that are subjected to some usage quota.
• C. A search process kicked off via a report or an alert.
• D. A child OS process manifested from the splunkd process.

Answer: A

NEW QUESTION 14
When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

• A. 1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.
• B. 1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.
• C. 1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.
• D. 1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Answer: B

NEW QUESTION 15
Which Splunk internal index contains licenserelated events?

• A. _audit
• B. _license
• C. _internal
• D. _introspection

Answer: C

NEW QUESTION 16
Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

• A. Check serverclass.conf of the deployment server.
• B. Check deploymentclient.conf of the deployment client.
• C. Check the content of SPLUNK_HOME/etc/apps of the deployment server.
• D. Search for relevant events in splunkd.log of the deployment server.

Answer: ABC

NEW QUESTION 17
Which of the following can a Splunk diag contain?

• A. Search history, Splunk users and their roles, running processes, indexed data
• B. Server specs, current open connections, internal Splunk log files, index listings
• C. KV store listings, internal Splunk log files, search peer bundles listings, indexed data
• D. Splunk platform configuration details, Splunk users and their roles, current open connections, index listings

Answer: B

NEW QUESTION 18
A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf:
[clustering] mode = master
replication_factor = 2
pass4SymmKey = password123
Which of the following statements
describe this Splunk instance?
(Select all that apply.)

• A. This is a multi-site cluster.
• B. This cluster's search factor is 2.
• C. This Splunk instance needs to be restarted.
• D. This instance is missing the master_uri attribute.

Answer: AC

NEW QUESTION 19
Which command will permanently decommission a peer node operating in an
indexer cluster?

• A. splunk stop -f
• B. splunk offline -f
• C. splunk offline --enforce-counts
• D. splunk decommission --enforce counts

Answer: C

NEW QUESTION 20
Which Splunk server role regulates the functioning of
indexer cluster?

• A. Indexer
• B. Deployer
• C. Master Node
• D. Monitoring Console

Answer: C

NEW QUESTION 21
How does the average run time of all searches relate to the available CPU cores on the indexers?

• A. Average run time is independent of the number of CPU cores on the indexers.
• B. Average run time decreases as the number of CPU cores on the indexers decreases.
• C. Average run time increases as the number of CPU cores on the indexers decreases.
• D. Average run time increases as the number of CPU cores on the indexers increases.

Answer: C

NEW QUESTION 22
Which of the following describe migration from single-site to multisite index replication?

• A. A master node is required at each site.
• B. Multisite policies apply to new data only.
• C. Single-site buckets instantly receive the multisite policies.
• D. Multisite total values should not exceed any single-site factors.

Answer: D

NEW QUESTION 23
......