SPLK-2002 V1

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?A . AutoB . NoneC . TrueD . FalseView AnswerAnswer: D Explanation: When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to false. This tells Splunk...

When Splunk indexes data in a non-clustered environment, what kind of files does it create by default?A . Index and .tsidx files.B . Rawdata and index files.C . Compressed and .tsidx files.D . Compressed and meta data files.View AnswerAnswer: A Explanation: When Splunk indexes data in a non-clustered environment, it...

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?A . Data encryption between Splunk Web and splunkd.B . Certificate authentication between forwarders and indexers.C . Certificate authentication between Splunk Web and search head.D . Data encryption for distributed search between search...

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)A . Is the job scheduler for the entire SHC.B . Manages alert action suppressions (throttling).C . Synchronizes the member list with the KV store primary.D . Replicates the SHC's knowledge bundle to the search...

Which of the following are true statements about Splunk indexer clustering?A . All peer nodes must run exactly the same Splunk version.B . The master node must run the same or a later Splunk version than search heads.C . The peer nodes must run the same or a later Splunk...

In the deployment planning process, when should a person identify who gets to see network data?A . Deployment scheduleB . Topology diagrammingC . Data source inventoryD . Data policy definitionView AnswerAnswer: D Explanation: In the deployment planning process, a person should identify who gets to see network data in the...

A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web source. Further investigation reveals that not all weblogs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the...

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?A . adhoc_searchhead = true (on all members)B . adhoc_searchhead = true (on the current captain)C . captain_is_adhoc_searchhead = true (on all members)D . captain_is_adhoc_searchhead = true (on the...

Configurations from the deployer are merged into which location on the search head cluster member?A . SPLUNK_HOME/etc/system/localB . SPLUNK_HOME/etc/apps/APP_HOME/localC . SPLUNK_HOME/etc/apps/search/defaultD . SPLUNK_HOME/etc/apps/APP_HOME/defaultView AnswerAnswer: B Explanation: Configurations from the deployer are merged into the SPLUNK_HOME/etc/apps/APP_HOME/local directory on the search head cluster member. The deployer distributes apps and other configurations to...

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?A . Create a job server on the cluster.B . Add another search head to the cluster.C . server.conf captain_is_adhoc_searchhead = true.D ....