Architect Exam Questions Answers
100% correct
What specific things should be included in a deployment plan? - answer -Goals
-User Roles
-Current topology, physical and logging
-Splunk deployment topology
-Data source inventory
-Data policy definition
-splunk Apps
-Educ./training plan
-Deployment Schedule
What are the 3 main stages in a Splunk Deployment - answer Infrastructure planning
Splunk deployment and data enrichment
user planning and roll out
What are some examples of Architect tasks? Admin - answer HW procurement, all
Install and configuration tasks, identify data sources, forwarder allocation
-Admin, everything else, especially user planning and roll out
When gathering raw material for the deployment plan at the beginning, when possible
understand what? - answer -overall goals
-key users
-current environment
-monitoring tools in use
-Data sources
Regarding current IT environment, what needs to be understood when checking the
overall IT topology? - answer -Data center, network zones, # and type of servers,
location of users
-how are users authenticated
When checking the network diagram, what do you need to know? - answer -security
restrictions between datacenters. network zones
-bandwitch
Regarding logging, what needs to be understood? - answer -are any logs collected
today?
-Are they centralized and logged to SAN/NAS? (use syslog-ng, syslog, Kiwi, Snare,
etc.)
-are they parsed and stored in SQL db
-what tools? any log parsing, query tools, monitoring systems, ticketing system.
-will splunk replaced or integrate with existing tools
,What security policies might affect planning? - answer what security policies
currently in place that my affect the collection, retention and reporting of data? What
approvals will be needed?
-Any regulatory concerns?
-HA or DR needed? data replication required?
Regarding data sources, what might affect planning? - answer data source inventory,
-what is the superset of all data needed by users?
-how much data generated daily?
data source policy
-retention?
-who can see what data?
-what data needs protection against tampering
-what proof of integrity
-will splunk be the primary repository
Regarding indexes, what are the 2 main types of files? what are their sizes? - answer
-rawdata, (syslog) around 10-15% once indexed
-Index(.tsidx), 10-110%, affected by # of unique terms, indexed field extractions will
increase this
What are the 4 main goals to avoid processing on raw events until search time? -
answer -indexing speed is increased
-bringing new data into the system requires less effort
-original data is persisted only if there is no tranformation
-the system is resilient to change
What are the 4 main goals for why you would want to avoid processing on raw events
until search time? - answer -indexing speed is increased
-bringing new data into the system requires less effort
-original data is persisted only if there is no tranformation
-the system is resilient to change
What type of data structure does Splunk use? - answer Inverted index. maps
keywords to locations in the raw data
How can you manage disk usage? What are the downsides? What is the setting? -
answer You can enable TSIDX reduction? slower searches
timeperiodinSecBEforeTsidxReduction = 7776000
How can you manage disk usage? What are the downsides? What is the setting? -
answer -You can enable TSIDX reduction in indexes.conf
-slower searches
-timeperiodinSecBEforeTsidxReduction = 7776000
,What are the things you would do to test indexing compression? - answer -confirm
estimates with actual data (create baseline with actual data
-test specific types of data (check defaultb
-Use MC to get a baseline of compression rates
Why partition data into different indexes? - answer Retention, Access
What is the recommended RAID disk setup? - answer Raid 10
SAN or NAS suitable for hot and warm buckets? - answer False, although high
performance SAN can be used
What are some of the foundations for a splunk deployment? - answer -low latency
network, min. 1Gb, under 200ms sh to idx, under 100ms idx to idx
-ntp
-DNS
-Turn off THP
-Increase linux ulimit
What are the specs for a reference server? - answer -minimum spec, 12 cpu cores,
12 Gb ram
-mid-range, 24 cpu, 64 gb ram
-Hi perf, 48 cpu, 128 Gb ram
What are the specs for a reference server?
low/mid/high - answer -minimum spec, 12 cpu cores, 12 Gb ram
-mid-range, 24 cpu, 64 gb ram
-Hi perf, 48 cpu, 128 Gb ram
What do you do to increase the problem of underutilizing indexer hardware? What
stanza, what attribute, conf file? - answer configure multiple pipeline sets to increase
hw utilization.
Server.conf on all the indexers or forwarders
[general]
parallelIngestionPipelines = 2
Can you virtualize a splunk instance? What are the recommendations? - answer Yes
Use locally attached volumes
separate idx from sh's
ensure enough reserved resources
expect virtualized to be 10% reduced performance
Where are Summary Indexers? - answer Origininate on the SH, but use outputs.conf
to be forwarded to indexers
, Where do Summary Indexes originate, SH or Index? - answer Origininate on the SH,
but use outputs.conf to be forwarded to indexers
Regarding ES sizing, how many indexers and cores would be needed if you have 550
GB/day data, 20 concurrent searches - answer 8 indexers, 24 cores
If you have data acceleration, and you have a 1 TB licesne, what is the acceleration
data total after 1 year? - answer 3.4 TB,
What are the main infrastructure impacts of ITSI? - answer -dedicated SH or SH
cluster
if additional KPI's
What are the main infrastructure impacts of ITSI? - answer -dedicated SH not
required or however, if over 200 discrete KPI SH cluster recommended, max cpu and
memory on sh
-on indexer 64Gb of ram or more per indexer
-frequency of KPI's, 1, 5 or 15 minutes,
-ave. kpi run time
-number of entities per KPI
What are the main infrastructure impacts of ITSI? How many discrete KPI's will require
a dedicated SH?
How much RAM per indexer? - answer -dedicated SH not required or however, if
over 200 discrete KPI SH cluster recommended, max cpu and memory on sh
-on indexer 64Gb of ram or more per indexer
-frequency of KPI's, 1, 5 or 15 minutes,
-ave. kpi run time
-number of entities per KPI
What is the default network bandwidth for the UF? - answer 256KBps
What binary does the Heavy Forwarder use? - answer Splunk Enterprise
Why use a HF? - answer UI is needed
Advanced event routing needed
Filtering more than 80% of events
Anonymizing or mask data before forwarding
predictable version of python needed
Required by App (HEC, DBX, checkpoint OPSEC LEA)
100% correct
What specific things should be included in a deployment plan? - answer -Goals
-User Roles
-Current topology, physical and logging
-Splunk deployment topology
-Data source inventory
-Data policy definition
-splunk Apps
-Educ./training plan
-Deployment Schedule
What are the 3 main stages in a Splunk Deployment - answer Infrastructure planning
Splunk deployment and data enrichment
user planning and roll out
What are some examples of Architect tasks? Admin - answer HW procurement, all
Install and configuration tasks, identify data sources, forwarder allocation
-Admin, everything else, especially user planning and roll out
When gathering raw material for the deployment plan at the beginning, when possible
understand what? - answer -overall goals
-key users
-current environment
-monitoring tools in use
-Data sources
Regarding current IT environment, what needs to be understood when checking the
overall IT topology? - answer -Data center, network zones, # and type of servers,
location of users
-how are users authenticated
When checking the network diagram, what do you need to know? - answer -security
restrictions between datacenters. network zones
-bandwitch
Regarding logging, what needs to be understood? - answer -are any logs collected
today?
-Are they centralized and logged to SAN/NAS? (use syslog-ng, syslog, Kiwi, Snare,
etc.)
-are they parsed and stored in SQL db
-what tools? any log parsing, query tools, monitoring systems, ticketing system.
-will splunk replaced or integrate with existing tools
,What security policies might affect planning? - answer what security policies
currently in place that my affect the collection, retention and reporting of data? What
approvals will be needed?
-Any regulatory concerns?
-HA or DR needed? data replication required?
Regarding data sources, what might affect planning? - answer data source inventory,
-what is the superset of all data needed by users?
-how much data generated daily?
data source policy
-retention?
-who can see what data?
-what data needs protection against tampering
-what proof of integrity
-will splunk be the primary repository
Regarding indexes, what are the 2 main types of files? what are their sizes? - answer
-rawdata, (syslog) around 10-15% once indexed
-Index(.tsidx), 10-110%, affected by # of unique terms, indexed field extractions will
increase this
What are the 4 main goals to avoid processing on raw events until search time? -
answer -indexing speed is increased
-bringing new data into the system requires less effort
-original data is persisted only if there is no tranformation
-the system is resilient to change
What are the 4 main goals for why you would want to avoid processing on raw events
until search time? - answer -indexing speed is increased
-bringing new data into the system requires less effort
-original data is persisted only if there is no tranformation
-the system is resilient to change
What type of data structure does Splunk use? - answer Inverted index. maps
keywords to locations in the raw data
How can you manage disk usage? What are the downsides? What is the setting? -
answer You can enable TSIDX reduction? slower searches
timeperiodinSecBEforeTsidxReduction = 7776000
How can you manage disk usage? What are the downsides? What is the setting? -
answer -You can enable TSIDX reduction in indexes.conf
-slower searches
-timeperiodinSecBEforeTsidxReduction = 7776000
,What are the things you would do to test indexing compression? - answer -confirm
estimates with actual data (create baseline with actual data
-test specific types of data (check defaultb
-Use MC to get a baseline of compression rates
Why partition data into different indexes? - answer Retention, Access
What is the recommended RAID disk setup? - answer Raid 10
SAN or NAS suitable for hot and warm buckets? - answer False, although high
performance SAN can be used
What are some of the foundations for a splunk deployment? - answer -low latency
network, min. 1Gb, under 200ms sh to idx, under 100ms idx to idx
-ntp
-DNS
-Turn off THP
-Increase linux ulimit
What are the specs for a reference server? - answer -minimum spec, 12 cpu cores,
12 Gb ram
-mid-range, 24 cpu, 64 gb ram
-Hi perf, 48 cpu, 128 Gb ram
What are the specs for a reference server?
low/mid/high - answer -minimum spec, 12 cpu cores, 12 Gb ram
-mid-range, 24 cpu, 64 gb ram
-Hi perf, 48 cpu, 128 Gb ram
What do you do to increase the problem of underutilizing indexer hardware? What
stanza, what attribute, conf file? - answer configure multiple pipeline sets to increase
hw utilization.
Server.conf on all the indexers or forwarders
[general]
parallelIngestionPipelines = 2
Can you virtualize a splunk instance? What are the recommendations? - answer Yes
Use locally attached volumes
separate idx from sh's
ensure enough reserved resources
expect virtualized to be 10% reduced performance
Where are Summary Indexers? - answer Origininate on the SH, but use outputs.conf
to be forwarded to indexers
, Where do Summary Indexes originate, SH or Index? - answer Origininate on the SH,
but use outputs.conf to be forwarded to indexers
Regarding ES sizing, how many indexers and cores would be needed if you have 550
GB/day data, 20 concurrent searches - answer 8 indexers, 24 cores
If you have data acceleration, and you have a 1 TB licesne, what is the acceleration
data total after 1 year? - answer 3.4 TB,
What are the main infrastructure impacts of ITSI? - answer -dedicated SH or SH
cluster
if additional KPI's
What are the main infrastructure impacts of ITSI? - answer -dedicated SH not
required or however, if over 200 discrete KPI SH cluster recommended, max cpu and
memory on sh
-on indexer 64Gb of ram or more per indexer
-frequency of KPI's, 1, 5 or 15 minutes,
-ave. kpi run time
-number of entities per KPI
What are the main infrastructure impacts of ITSI? How many discrete KPI's will require
a dedicated SH?
How much RAM per indexer? - answer -dedicated SH not required or however, if
over 200 discrete KPI SH cluster recommended, max cpu and memory on sh
-on indexer 64Gb of ram or more per indexer
-frequency of KPI's, 1, 5 or 15 minutes,
-ave. kpi run time
-number of entities per KPI
What is the default network bandwidth for the UF? - answer 256KBps
What binary does the Heavy Forwarder use? - answer Splunk Enterprise
Why use a HF? - answer UI is needed
Advanced event routing needed
Filtering more than 80% of events
Anonymizing or mask data before forwarding
predictable version of python needed
Required by App (HEC, DBX, checkpoint OPSEC LEA)
