Splunk Architect Exam Questions With
Correct Answers
\Q\.Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)
A. OS settings.
B. Internal logs.
C. Customer data.
D. Configuration files. - ANSWER-✔A,B,D
A. OS settings.
B. Internal logs.
D. Configuration files.
Reference:
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Generateadiag%60%6
0
\Q\.Which of the following will cause the greatest reduction in disk size requirements for a
cluster of N indexers running Splunk Enterprise Security?
A. Setting the cluster search factor to N-1.
B. Increasing the number of buckets per index.
C. Decreasing the data model acceleration range.
D. Setting the cluster replication factor to N-1. - ANSWER-✔Correct Answer: D
https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements
,\Q\.Stakeholders have identified high availability for searchable data as their top priority. Which
of the following best addresses this requirement?
A. Increasing the search factor in the cluster.
B. Increasing the replication factor in the cluster.
C. Increasing the number of search heads in the cluster.
D. Increasing the number of CPUs on the indexers in the cluster. - ANSWER-✔Correct Answer: A
Reference:https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCarchitecture
Replication factor defines the number of copies of raw data that the Splunk cluster maintains.
For more details, see Splunk replication factor. By increasing the replication factor, you can
tolerate more peer node failures.
Search factor defines how many searchable copies of the indexed data needs to be maintained.
For more details, see Splunk search factor.
\Q\.Search dashboards in the Monitoring Console indicate that the distributed deployment is
approaching its capacity. Which of the following options will provide the most search
performance improvement? - ANSWER-✔D. Add more search peers and make sure forwarders
distribute data evenly across all indexers.
\Q\.A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users
are complaining that the events are inconsistently formatted for a web sourcetype. Further
investigation reveals that not all web logs flow through the same infrastructure: some of the
data goes through heavy forwarders and some of the forwarders are managed by another
department.Which of the following items might be the cause for this issue? - ANSWER-✔C. The
indexers may have different configurations than the heavy forwarders.
\Q\.A customer has installed a 500GB Enterprise license. They also purchased and installed a
300GB, no enforcement license on the same license master. How much data can the customer
, ingest before search is locked out? - ANSWER-✔D. Search is not locked out. Violations are still
recorded.
\Q\.What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)
A. Distributes apps to SHC members.
B. Bootstraps a clean Splunk install for a SHC.
C. Distributes non-search related and manual configuration file changes.
D. Distributes runtime knowledge object changes made by users across the SHC. - ANSWER-
✔A/C
Reference:https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCdeploymentov
erview
\Q\.When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the
SHOULD_LINEMERGE attribute should be set to what?
A. Auto
B. None
C. True
D. False - ANSWER-✔D. False
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking#Line_
breaking_general_settings
\Q\.Which of the following should be included in a deployment plan?
A. Business continuity and disaster recovery plans.
B. Current logging details and data source inventory.
C. Current and future topology diagrams of the IT environment.
Correct Answers
\Q\.Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)
A. OS settings.
B. Internal logs.
C. Customer data.
D. Configuration files. - ANSWER-✔A,B,D
A. OS settings.
B. Internal logs.
D. Configuration files.
Reference:
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Generateadiag%60%6
0
\Q\.Which of the following will cause the greatest reduction in disk size requirements for a
cluster of N indexers running Splunk Enterprise Security?
A. Setting the cluster search factor to N-1.
B. Increasing the number of buckets per index.
C. Decreasing the data model acceleration range.
D. Setting the cluster replication factor to N-1. - ANSWER-✔Correct Answer: D
https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements
,\Q\.Stakeholders have identified high availability for searchable data as their top priority. Which
of the following best addresses this requirement?
A. Increasing the search factor in the cluster.
B. Increasing the replication factor in the cluster.
C. Increasing the number of search heads in the cluster.
D. Increasing the number of CPUs on the indexers in the cluster. - ANSWER-✔Correct Answer: A
Reference:https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCarchitecture
Replication factor defines the number of copies of raw data that the Splunk cluster maintains.
For more details, see Splunk replication factor. By increasing the replication factor, you can
tolerate more peer node failures.
Search factor defines how many searchable copies of the indexed data needs to be maintained.
For more details, see Splunk search factor.
\Q\.Search dashboards in the Monitoring Console indicate that the distributed deployment is
approaching its capacity. Which of the following options will provide the most search
performance improvement? - ANSWER-✔D. Add more search peers and make sure forwarders
distribute data evenly across all indexers.
\Q\.A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users
are complaining that the events are inconsistently formatted for a web sourcetype. Further
investigation reveals that not all web logs flow through the same infrastructure: some of the
data goes through heavy forwarders and some of the forwarders are managed by another
department.Which of the following items might be the cause for this issue? - ANSWER-✔C. The
indexers may have different configurations than the heavy forwarders.
\Q\.A customer has installed a 500GB Enterprise license. They also purchased and installed a
300GB, no enforcement license on the same license master. How much data can the customer
, ingest before search is locked out? - ANSWER-✔D. Search is not locked out. Violations are still
recorded.
\Q\.What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)
A. Distributes apps to SHC members.
B. Bootstraps a clean Splunk install for a SHC.
C. Distributes non-search related and manual configuration file changes.
D. Distributes runtime knowledge object changes made by users across the SHC. - ANSWER-
✔A/C
Reference:https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCdeploymentov
erview
\Q\.When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the
SHOULD_LINEMERGE attribute should be set to what?
A. Auto
B. None
C. True
D. False - ANSWER-✔D. False
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking#Line_
breaking_general_settings
\Q\.Which of the following should be included in a deployment plan?
A. Business continuity and disaster recovery plans.
B. Current logging details and data source inventory.
C. Current and future topology diagrams of the IT environment.
