SPLK-2002 V1

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?A . adhoc_searchhead = true (on all members)B . adhoc_searchhead = true (on the current captain)C . captain_is_adhoc_searchhead = true (on all members)D . captain_is_adhoc_searchhead = true (on the...

Configurations from the deployer are merged into which location on the search head cluster member?A . SPLUNK_HOME/etc/system/localB . SPLUNK_HOME/etc/apps/APP_HOME/localC . SPLUNK_HOME/etc/apps/search/defaultD . SPLUNK_HOME/etc/apps/APP_HOME/defaultView AnswerAnswer: B Explanation: Configurations from the deployer are merged into the SPLUNK_HOME/etc/apps/APP_HOME/local directory on the search head cluster member. The deployer distributes apps and other configurations to...

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?A . Create a job server on the cluster.B . Add another search head to the cluster.C . server.conf captain_is_adhoc_searchhead = true.D ....

What is the minimum reference server specification for a Splunk indexer?A . 12 CPU cores, 12GB RAM, 800 IOPSB . 16 CPU cores, 16GB RAM, 800 IOPSC . 24 CPU cores, 16GB RAM, 1200 IOPSD . 28 CPU cores, 32GB RAM, 1200 IOPSView AnswerAnswer: A Explanation: The minimum reference server...

A new Splunk customer is using syslog to collect data from their network devices on port 514. What is the best practice for ingesting this data into Splunk?A . Configure syslog to send the data to multiple Splunk indexers.B . Use a Splunk indexer to collect a network input on...

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?A . kvstore.confB . collection.confC . collections.confD . kvcollections.confView AnswerAnswer: C Explanation: A collection is defined in the collections.conf file, which specifies the name, schema, and permissions of the collection. The kvstore.conf...

Which of the following commands is used to clear the KV store?A . splunk clean kvstoreB . splunk clear kvstoreC . splunk delete kvstoreD . splunk reinitialize kvstoreView AnswerAnswer: A Explanation: The splunk clean kvstore command is used to clear the KV store. This command will delete all the collections...

Which command will permanently decommission a peer node operating in an indexer cluster?A . splunk stop -fB . splunk offline -fC . splunk offline --enforce-countsD . splunk decommission --enforce countsView AnswerAnswer: C Explanation: The splunk offline --enforce-counts command will permanently decommission a peer node operating in an indexer cluster. This...

Which of the following is a way to exclude search artifacts when creating a diag?A . SPLUNK_HOME/bin/splunk diag --excludeB . SPLUNK_HOME/bin/splunk diag --debug --refreshC . SPLUNK_HOME/bin/splunk diag --disable=dispatchD . SPLUNK_HOME/bin/splunk diag --filter-searchstringsView AnswerAnswer: A Explanation: The splunk diag --exclude command is a way to exclude search artifacts when creating a...

Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?A . btoolB . DiagGenC . SPL ClinicD . Monitoring ConsoleView AnswerAnswer: D Explanation: The Monitoring Console is the Splunk tool that offers a health check for administrators to evaluate the health of their...