Architect Exam Questions Answered 100% Correct 2023

Architect Exam Questions Answered 100% Correct 2023 What specific things should be included in a deployment plan? -Goals -User Roles -Current topology, physical and logging -Splunk deployment topology -Data source inventory -Data policy definition -splunk Apps -Educ./training plan -Deployment Schedule What are the 3 main stages in a Splunk Deployment Infrastructure planning Splunk deployment and data enrichment user planning and roll out What are some examples of Architect tasks? Admin HW procurement, all Install and configuration tasks, identify data sources, forwarder allocation -Admin, everything else, especially user planning and roll out When gathering raw material for the deployment plan at the beginning, when possible understand what? -overall goals -key users -current environment -monitoring tools in use -Data sources Regarding current IT environment, what needs to be understood when checking the overall IT topology? -Data center, network zones, # and type of servers, location of users -how are users authenticated When checking the network diagram, what do you need to know? -security restrictions between datacenters. network zones -bandwitch Regarding logging, what needs to be understood? -are any logs collected today? -Are they centralized and logged to SAN/NAS? (use syslog-ng, syslog, Kiwi, Snare, etc.) -are they parsed and stored in SQL db -what tools? any log parsing, query tools, monitoring systems, ticketing system. -will splunk replaced or integrate with existing tools What security policies might affect planning? what security policies currently in place that my affect the collection, retention and reporting of data? What approvals will be needed? -Any regulatory concerns? -HA or DR needed? data replication required? Regarding data sources, what might affect planning? data source inventory, -what is the superset of all data needed by users? -how much data generated daily? data source policy -retention? -who can see what data? -what data needs protection against tampering -what proof of integrity -will splunk be the primary repository Regarding indexes, what are the 2 main types of files? what are their sizes? -rawdata, (syslog) around 10-15% once indexed -Index(.tsidx), 10-110%, affected by # of unique terms, indexed field extractions will increase this What are the 4 main goals to avoid processing on raw events until search time? -indexing speed is increased -bringing new data into the system requires less effort -original data is persisted only if there is no tranformation -the system is resilient to change What are the 4 main goals for why you would want to avoid processing on raw events until search time? -indexing speed is increased -bringing new data into the system requires less effort -original data is persisted only if there is no tranformation -the system is resilient to change What type of data structure does Splunk use? Inverted index. maps keywords to locations in the raw data How can you manage disk usage? What are the downsides? What is the setting? You can enable TSIDX reduction? slower searches timeperiodinSecBEforeTsidxReduction = How can you manage disk usage? What are the downsides? What is the setting? -You can enable TSIDX reduction in -slower searches -timeperiodinSecBEforeTsidxReduction = What are the things you would do to test indexing compression? -confirm estimates with actual data (create baseline with actual data -test specific types of data (check defaultb -Use MC to get a baseline of compression rates Why partition data into different indexes? Retention, Access What is the recommended RAID disk setup? Raid 10 SAN or NAS suitable for hot and warm buckets? False, although high performance SAN can be used What are some of the foundations for a splunk deployment? -low latency network, min. 1Gb, under 200ms sh to idx, under 100ms idx to idx -ntp -DNS -Turn off THP -Increase linux ulimit What are the specs for a reference server? -minimum spec, 12 cpu cores, 12 Gb ram -mid-range, 24 cpu, 64 gb ram -Hi perf, 48 cpu, 128 Gb ram What are the specs for a reference server? low/mid/high -minimum spec, 12 cpu cores, 12 Gb ram -mid-range, 24 cpu, 64 gb ram -Hi perf, 48 cpu, 128 Gb ram What do you do to increase the problem of underutilizing indexer hardware? What stanza, what attribute, conf file? configure multiple pipeline sets to increase hw utilization. S on all the indexers or forwarders [general] parallelIngestionPipelines = 2 Can you virtualize a splunk instance? What are the recommendations? Yes Use locally attached volumes separate idx from sh's ensure enough reserved resources expect virtualized to be 10% reduced performance Where are Summary Indexers? Origininate on the SH, but use to be forwarded to indexers Where do Summary Indexes originate, SH or Index? Origininate on the SH, but use to be forwarded to indexers Regarding ES sizing, how many indexers and cores would be needed if you have 550 GB/day data, 20 concurrent searches 8 indexers, 24 cores If you have data acceleration, and you have a 1 TB licesne, what is the acceleration data total after 1 year? 3.4 TB, What are the main infrastructure impacts of ITSI? -dedicated SH or SH cluster if additional KPI's What are the main infrastructure impacts of ITSI? -dedicated SH not required or however, if over 200 discrete KPI SH cluster recommended, max cpu and memory on sh -on indexer 64Gb of ram or more per indexer -frequency of KPI's, 1, 5 or 15 minutes, -ave. kpi run time -number of entities per KPI What are the main infrastructure impacts of ITSI? How many discrete KPI's will require a dedicated SH? How much RAM per indexer? -dedicated SH not required or however, if over 200 discrete KPI SH cluster recommended, max cpu and memory on sh -on indexer 64Gb of ram or more per indexer -frequency of KPI's, 1, 5 or 15 minutes, -ave. kpi run time -number of entities per KPI What is the default network bandwidth for the UF? 256KBps What binary does the Heavy Forwarder use? Splunk Enterprise Why use a HF? UI is needed Advanced event routing needed Filtering more than 80% of events Anonymizing or mask data before forwarding predictable version of python needed Required by App (HEC, DBX, checkpoint OPSEC LEA) On a UF install, how would you set connecting to the deployment server? splunk set deploy-poll <ds_ip>:port What are some recommendations for UF's? Don't use HF's unless necessary use a syslog server for syslog data Avoid intetermediate forwarders Forwarders automatically load baland How many polls/min can a Windows Deployment Server Handle? Linux? 2K polls/min, Linux 10K What is the default client poll? What attribute? What file? -60 Sec -phoneHomeIntervalinSecs - How many clients necessitate the need for a stand-alone deployment server? 50 During install of a UF, what is a key file needed to connect to the Deployment server? D + basic install Use CM tool for stuff like authentication certs, passwords, Use deployment server for routine tasks You should use the deployer to stage OOB apps in case you have a SH cluster? false You can use the deployment server to distribute apps to SHC members? false With SHC's, KOs created by users are automatically replicated? Are sent by the deployer? true, false You should not stage any OOB apps with the master node? True What is the dir on the master node to distribute apps? Indexers? master-apps, slave-apps You can use the deployment server to deploy apps to the peer nodes? False What type of Apps are deployed using a deployer? Master Node? Deployment server Search time, Indexing and parsing configuration, input-time configuration What tab in MC displays a high-level summary of a systems performance? health check Which MC tab provides snapshots and detailed info about Memory, CPU, disk usage? Resource Usage What can you do if you have unused CPU/memory resources? You can set multiple search pipelines in What can you do if you have unused CPU/memory resources? You can set multiple search pipelines in What do you use to solve the problem of having a large number of buckets? What file? What attribute? Increase the bucket limit size from 750MB to 10GB /etc/system/local/I maxDataSize= auto_high_volue What do you use to solve the problem of having a large number of buckets? What file? What attribute? Increase the bucket limit size from 750MB to 10GB /etc/system/local/I maxDataSize= auto_high_volume What do you use to solve the problem of having a large number of buckets? What file? What attribute? Increase the bucket limit size from 750MB to 10GB /etc/system/local/I maxDataSize= auto_high_volume What is the indexer throuhput on desnse searches? Sparse? Super-sparse? rare up to 50K matching per sec. 5K 2 sec. per bucket 10-15 sec per bucket Super-sparse and rare searches are improved by improving number of CPUs? False Super-sparse and rare searches are improved by improving number of CPUs? False, they are IO bound Where are the splunk internal logs stored? /var/log How long are the following indexes retained? _introspection _internal _audit _telemetry 14 days 30 d 6 yrs 2 years What are the platform logging levels debug, info, warn, error, fatal How do you set the log level of a particular channel? Is it persistent? How do I make it persistent? Go to Server Settings>Server logging, and set it no need to edit to override via cli: splunk set log-level <channel> - level <example:DEBUG> How do you set the log level of a particular channel? Is it persistent? How do I make it persistent? Go to Settings>Server Settings>Server logging, and set it no need to edit to override via cli: splunk set log-level <channel> - level <example:DEBUG>