Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?
AReplace the indexer storage to solid state drives (SSD).
BAdd more search heads and redistribute users based on the search type.
CLook for slow searches and reschedule them to run during an off-peak time.
DAdd more search peers and make sure forwarders distribute data evenly across all indexers.
Stakeholders have identified high availability for searchable data as their top priority. Which of the following best addresses this requirement?
AIncreasing the search factor in the cluster.
BIncreasing the replication factor in the cluster.
CIncreasing the number of search heads in the cluster.
DIncreasing the number of CPUs on the indexers in the cluster.
A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department.
Which of the following items might be the cause for this issue?
AThe search head may have different configurations than the indexers.
BThe data inputs are not properly configured across all the forwarders.
CThe indexers may have different configurations than the heavy forwarders.
DThe forwarders managed by the other department are an older version than the rest.
What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)
ADistributes apps to SHC members.
BBootstraps a clean Splunk install for a SHC.
CDistributes non-search related and manual configuration file changes.
DDistributes runtime knowledge object changes made by users across the SHC.
Which of the following should be included in a deployment plan?
ABusiness continuity and disaster recovery plans.
BCurrent logging details and data source inventory.
CCurrent and future topology diagrams of the IT environment.
DA comprehensive list of stakeholders, either direct or indirect.
Question 6
Multisite Indexer Cluster
0
Question 7
Multisite Indexer Cluster
Question 8
Search Head Cluster Management and Administration
Question 9
Clarifying the Problem
Question 10
Clustering Overview
Question 11
Infrastructure Planning: Resource Planning
Question 12
Search Head Cluster Management and Administration
Question 13
KV Store Collection and Lookup Management
Question 14
Configuration Problems
Question 15
Multisite Indexer Cluster
Question 16
Licensing and Crash Problems
Question 17
Search Head Cluster
Question 18
Splunk Troubleshooting Methods and Tools
Question 19
Search Head Cluster Management and Administration
Question 20
Multisite Indexer Cluster
Question 21
Licensing and Crash Problems
Question 22
Search Problems
Question 23
Introduction
Question 24
Forwarder and Deployment Best Practices
Question 25
Project Requirements
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)
In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?
When adding or rejoining a member to a search head cluster, the following error is displayed:
Error pulling configurations from the search head cluster captain; consider performing a destructive configuration resync on this search head cluster member.
What corrective action should be taken?
ARestart the search head.
BRun the splunk apply shcluster-bundle command from the deployer.
CRun the clean raft command on all members of the search head cluster.
DRun the splunk resync shcluster-replicated-config command on this member.
Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)
ACheck serverclass.conf of the deployment server.
BCheck deploymentclient.conf of the deployment client.
CCheck the content of SPLUNK_HOME/etc/apps of the deployment server.
DSearch for relevant events in splunkd.log of the deployment server.
Which of the following are true statements about Splunk indexer clustering?
AAll peer nodes must run exactly the same Splunk version.
BThe master node must run the same or a later Splunk version than search heads.
CThe peer nodes must run the same or a later Splunk version than the master node.
DThe search head must run the same or a later Splunk version than the peer nodes.
A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?
ATwo indexers not in a cluster, assuming users run many long searches.
BThree indexers not in a cluster, assuming a long data retention period.
CTwo indexers clustered, assuming high availability is the greatest priority.
DTwo indexers clustered, assuming a high volume of saved/scheduled searches.
Configurations from the deployer are merged into which location on the search head cluster member?
ASPLUNK_HOME/etc/system/local
BSPLUNK_HOME/etc/apps/APP_HOME/local
CSPLUNK_HOME/etc/apps/search/default
DSPLUNK_HOME/etc/apps/APP_HOME/default
The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?
A25
B50
C100
DUnlimited
A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf:
[clustering]
mode = master
replication_factor = 2
pass4SymmKey = password123
Which of the following statements describe this Splunk instance? (Select all that apply.)
AThis is a multi-site cluster.
BThis cluster's search factor is 2.
CThis Splunk instance needs to be restarted.
DThis instance is missing the master_uri attribute.
Which of the following describe migration from single-site to multisite index replication?
AA master node is required at each site.
BMultisite policies apply to new data only.
CSingle-site buckets instantly receive the multisite policies.
DMultisite total values should not exceed any single-site factors.
Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)
AFree licenses do not support clustering.
BReplicated data does not count against licensing.
CEach cluster member requires its own clustering license.
DCluster members must share the same license pool and license master.
When planning a search head cluster, which of the following is true?
AAll search heads must use the same operating system.
BAll search heads must be members of the cluster (no standalone search heads).
CThe search head captain must be assigned to the largest search head in the cluster.
DAll indexers must belong to the underlying indexer cluster (no standalone indexers).
Which tool(s) can be leveraged to diagnose connection problems between an indexer and forwarder? (Select all that apply.)
Atelnet
Btcpdump
Csplunk btool
Dsplunk btprobe
When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?
A
Delete Splunk Enterprise, if it exists. 2. Install and initialize the instance. 3. Join the SHC.
B
Install and initialize the instance. 2. Delete Splunk Enterprise, if it exists. 3. Join the SHC.
When converting from a single-site to a multi-site cluster, what happens to existing single-site clustered buckets?
AThey will continue to replicate within the origin site and age out based on existing policies.
BThey will maintain replication as required according to the single-site policies, but never age out.
CThey will be replicated across all peers in the multi-site cluster and age out based on existing policies.
DThey will stop replicating within the single-site and remain on the indexer they reside on and age out according to existing policies.
As a best practice, where should the internal licensing logs be stored?
AIndexing layer.
BLicense server.
CDeployment layer.
DSearch head layer.
A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)
AThe field was extracted as a private knowledge object.
BThe events are tagged as communicate, but are missing the network tag.
CThe Typing Queue, which does regular expression replacements, is blocked.
DThe colleague did not explicitly use the field in the search and the search was set to Fast Mode.
What is a Splunk Job? (Select all that apply.)
AA user-defined Splunk capability.
BSearches that are subjected to some usage quota.
CA search process kicked off via a report or an alert.
DA child OS process manifested from the splunkd process.
Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)
AUse TCP syslog.
BConfigure UDP inputs on each Splunk indexer to receive data directly.
CUse a network load balancer to direct syslog traffic to active backend syslog listeners.
DUse one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)
