Is the SPLK-2002 practice exam free?

Yes. ExamCademy offers all 169 SPLK-2002 practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the SPLK-2002 practice questions?

All SPLK-2002 questions are community-created and reviewed by moderators to align with Splunk's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the SPLK-2002 exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official Splunk documentation and hands-on experience for best results.

SPLK-2002 Practice Exam — Free 169+ Questions

169Practice Questions

3Study Modes

FreeTo Get Started

Sort:

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Page 1 of 7 • Questions 1-25 of 169

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

A Replace the indexer storage to solid state drives (SSD).
B Add more search heads and redistribute users based on the search type.
C Look for slow searches and reschedule them to run during an off-peak time.
D Add more search peers and make sure forwarders distribute data evenly across all indexers.

Stakeholders have identified high availability for searchable data as their top priority. Which of the following best addresses this requirement?

A Increasing the search factor in the cluster.
B Increasing the replication factor in the cluster.
C Increasing the number of search heads in the cluster.
D Increasing the number of CPUs on the indexers in the cluster.

A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department.
Which of the following items might be the cause for this issue?

A The search head may have different configurations than the indexers.
B The data inputs are not properly configured across all the forwarders.
C The indexers may have different configurations than the heavy forwarders.
D The forwarders managed by the other department are an older version than the rest.

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

A Distributes apps to SHC members.
B Bootstraps a clean Splunk install for a SHC.
C Distributes non-search related and manual configuration file changes.
D Distributes runtime knowledge object changes made by users across the SHC.

Which of the following should be included in a deployment plan?

A Business continuity and disaster recovery plans.
B Current logging details and data source inventory.
C Current and future topology diagrams of the IT environment.
D A comprehensive list of stakeholders, either direct or indirect.

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

A Via Splunk Web.
B Directly edit SPLUNK_HOME/etc/system/local/server.conf
C Run a splunk edit cluster-config command from the CLI.
D Directly edit SPLUNK_HOME/etc/system/default/server.conf

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

A site_search_factor = origin:2, site1:2, total:4
B site_search_factor = origin:2, site2:1, total:4
C site_replication_factor = origin:2, site1:2, total:4
D site_replication_factor = origin:2, site2:1, total:4

When adding or rejoining a member to a search head cluster, the following error is displayed:
Error pulling configurations from the search head cluster captain; consider performing a destructive configuration resync on this search head cluster member.
What corrective action should be taken?

A Restart the search head.
B Run the splunk apply shcluster-bundle command from the deployer.
C Run the clean raft command on all members of the search head cluster.
D Run the splunk resync shcluster-replicated-config command on this member.

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

A Check serverclass.conf of the deployment server.
B Check deploymentclient.conf of the deployment client.
C Check the content of SPLUNK_HOME/etc/apps of the deployment server.
D Search for relevant events in splunkd.log of the deployment server.

Which of the following are true statements about Splunk indexer clustering?

A All peer nodes must run exactly the same Splunk version.
B The master node must run the same or a later Splunk version than search heads.
C The peer nodes must run the same or a later Splunk version than the master node.
D The search head must run the same or a later Splunk version than the peer nodes.

A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?

A Two indexers not in a cluster, assuming users run many long searches.
B Three indexers not in a cluster, assuming a long data retention period.
C Two indexers clustered, assuming high availability is the greatest priority.
D Two indexers clustered, assuming a high volume of saved/scheduled searches.

Configurations from the deployer are merged into which location on the search head cluster member?

A SPLUNK_HOME/etc/system/local
B SPLUNK_HOME/etc/apps/APP_HOME/local
C SPLUNK_HOME/etc/apps/search/default
D SPLUNK_HOME/etc/apps/APP_HOME/default

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

A 25
B 50
C 100
D Unlimited

A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf:
[clustering]
mode = master
replication_factor = 2
pass4SymmKey = password123
Which of the following statements describe this Splunk instance? (Select all that apply.)

A This is a multi-site cluster.
B This cluster's search factor is 2.
C This Splunk instance needs to be restarted.
D This instance is missing the master_uri attribute.

Which of the following describe migration from single-site to multisite index replication?

A A master node is required at each site.
B Multisite policies apply to new data only.
C Single-site buckets instantly receive the multisite policies.
D Multisite total values should not exceed any single-site factors.

Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)

A Free licenses do not support clustering.
B Replicated data does not count against licensing.
C Each cluster member requires its own clustering license.
D Cluster members must share the same license pool and license master.

When planning a search head cluster, which of the following is true?

A All search heads must use the same operating system.
B All search heads must be members of the cluster (no standalone search heads).
C The search head captain must be assigned to the largest search head in the cluster.
D All indexers must belong to the underlying indexer cluster (no standalone indexers).

Which tool(s) can be leveraged to diagnose connection problems between an indexer and forwarder? (Select all that apply.)

A telnet
B tcpdump
C splunk btool
D splunk btprobe

When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

A
1. Delete Splunk Enterprise, if it exists. 2. Install and initialize the instance. 3. Join the SHC.
B
1. Install and initialize the instance. 2. Delete Splunk Enterprise, if it exists. 3. Join the SHC.
C
1. Initialize cluster rebalance operation. 2. Remove master node from cluster. 3. Trigger replication.
D
1. Trigger replication. 2. Remove master node from cluster. 3. Initialize cluster rebalance operation.

When converting from a single-site to a multi-site cluster, what happens to existing single-site clustered buckets?

A They will continue to replicate within the origin site and age out based on existing policies.
B They will maintain replication as required according to the single-site policies, but never age out.
C They will be replicated across all peers in the multi-site cluster and age out based on existing policies.
D They will stop replicating within the single-site and remain on the indexer they reside on and age out according to existing policies.

As a best practice, where should the internal licensing logs be stored?

A Indexing layer.
B License server.
C Deployment layer.
D Search head layer.

A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

A The field was extracted as a private knowledge object.
B The events are tagged as communicate, but are missing the network tag.
C The Typing Queue, which does regular expression replacements, is blocked.
D The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

What is a Splunk Job? (Select all that apply.)

A A user-defined Splunk capability.
B Searches that are subjected to some usage quota.
C A search process kicked off via a report or an alert.
D A child OS process manifested from the splunkd process.

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

A Use TCP syslog.
B Configure UDP inputs on each Splunk indexer to receive data directly.
C Use a network load balancer to direct syslog traffic to active backend syslog listeners.
D Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

A Use case checklist.
B Install Splunk apps.
C Inventory data sources.
D Review network topology.

SPLK-2002Preview

About the SPLK-2002 Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

SPLK-2002Preview

About the SPLK-2002 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25