Spring Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Splunk Enterprise Certified Architect Question and Answers

Splunk Enterprise Certified Architect

Last Update Feb 28, 2026
Total Questions : 205

We are offering FREE SPLK-2002 Splunk exam questions. All you do is to just go and sign up. Give your details, prepare SPLK-2002 free exam questions and then go for complete pool of Splunk Enterprise Certified Architect test questions that will help you more.

SPLK-2002 pdf

SPLK-2002 PDF

$36.75  $104.99
SPLK-2002 Engine

SPLK-2002 Testing Engine

$43.75  $124.99
SPLK-2002 PDF + Engine

SPLK-2002 PDF + Testing Engine

$57.75  $164.99
Questions 1

(Which of the following must be included in a deployment plan?)

Options:

A.  

Future topology diagrams of the IT environment.

B.  

A comprehensive list of stakeholders, either direct or indirect.

C.  

Current logging details and data source inventory.

D.  

Business continuity and disaster recovery plans.

Discussion 0
Questions 2

Splunk Enterprise performs a cyclic redundancy check (CRC) against the first and last bytes to prevent the same file from being re-indexed if it is rotated or renamed. What is the number of bytes sampled by default?

Options:

A.  

128

B.  

512

C.  

256

D.  

64

Discussion 0
Questions 3

A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web source. Further investigation reveals that not all weblogs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department.

Which of the following items might be the cause of this issue?

Options:

A.  

The search head may have different configurations than the indexers.

B.  

The data inputs are not properly configured across all the forwarders.

C.  

The indexers may have different configurations than the heavy forwarders.

D.  

The forwarders managed by the other department are an older version than the rest.

Discussion 0
Questions 4

Which index-time props.conf attributes impact indexing performance? (Select all that apply.)

Options:

A.  

REPORT

B.  

LINE_BREAKER

C.  

ANNOTATE_PUNCT

D.  

SHOULD_LINEMERGE

Discussion 0
Questions 5

A Splunk deployment is being architected and the customer will be using Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI). Through data onboarding and sizing, it is determined that over 200 discrete KPIs will be tracked by ITSI and 1TB of data per day by ES. What topology ensures a scalable and performant deployment?

Options:

A.  

Two search heads, one for ITSI and one for ES.

B.  

Two search head clusters, one for ITSI and one for ES.

C.  

One search head cluster with both ITSI and ES installed.

D.  

One search head with both ITSI and ES installed.

Discussion 0
Questions 6

A Splunk instance has crashed, but no crash log was generated. There is an attempt to determine what user activity caused the crash by running the following search:

What does searching for closed_txn=0 do in this search?

Options:

A.  

Filters results to situations where Splunk was started and stopped multiple times.

B.  

Filters results to situations where Splunk was started and stopped once.

C.  

Filters results to situations where Splunk was stopped and then immediately restarted.

D.  

Filters results to situations where Splunk was started, but not stopped.

Discussion 0
Questions 7

(The performance of a specific search is performing poorly. The search must run over All Time and is expected to have very few results. Analysis shows that the search accesses a very large number of buckets in a large index. What step would most significantly improve the performance of this search?)

Options:

A.  

Increase the disk I/O hardware performance.

B.  

Increase the number of indexing pipelines.

C.  

Set indexed_realtime_use_by_default = true in limits.conf.

D.  

Change this to a real-time search using an All Time window.

Discussion 0
Questions 8

Of the following types of files within an index bucket, which file type may consume the most disk?

Options:

A.  

Rawdata

B.  

Bloom filter

C.  

Metadata (.data)

D.  

Inverted index (.tsidx)

Discussion 0
Questions 9

Which of the following is a good practice for a search head cluster deployer?

Options:

A.  

The deployer only distributes configurations to search head cluster members when they “phone home”.

B.  

The deployer must be used to distribute non-replicable configurations to search head cluster members.

C.  

The deployer must distribute configurations to search head cluster members to be valid configurations.

D.  

The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle.

Discussion 0
Questions 10

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

Options:

A.  

Input

B.  

Search

C.  

Parsing

D.  

Indexing

Discussion 0
Questions 11

Which of the following server. conf stanzas indicates the Indexer Discovery feature has not been fully configured (restart pending) on the Master Node?

A)

B)

C)

D)

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Questions 12

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

Options:

A.  

Is the job scheduler for the entire SHC.

B.  

Manages alert action suppressions (throttling).

C.  

Synchronizes the member list with the KV store primary.

D.  

Replicates the SHC's knowledge bundle to the search peers.

Discussion 0
Questions 13

(Which of the following is a benefit of using SmartStore?)

Options:

A.  

Automatic selection of replication and search factors.

B.  

Separating storage from compute.

C.  

Knowledge Object replication.

D.  

Cluster Manager is no longer required.

Discussion 0
Questions 14

(If the maxDataSize attribute is set to auto_high_volume in indexes.conf on a 64-bit operating system, what is the maximum hot bucket size?)

Options:

A.  

4 GB

B.  

750 MB

C.  

10 GB

D.  

1 GB

Discussion 0
Questions 15

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

Options:

A.  

Replace the indexer storage to solid state drives (SSD).

B.  

Add more search heads and redistribute users based on the search type.

C.  

Look for slow searches and reschedule them to run during an off-peak time.

D.  

Add more search peers and make sure forwarders distribute data evenly across all indexers.

Discussion 0
Questions 16

How does IT Service Intelligence (ITSI) impact the planning of a Splunk deployment?

Options:

A.  

ITSI requires a dedicated deployment server.

B.  

The amount of users using ITSI will not impact performance.

C.  

ITSI in a Splunk deployment does not require additional hardware resources.

D.  

Depending on the Key Performance Indicators that are being tracked, additional infrastructure may be needed.

Discussion 0
Questions 17

Which Splunk log file would be the least helpful in troubleshooting a crash?

Options:

A.  

splunk_instrumentation.log

B.  

splunkd_stderr.log

C.  

crash-2022-05-13-ll:42:57.1og

D.  

splunkd.log

Discussion 0
Questions 18

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

Options:

A.  

Create a job server on the cluster.

B.  

Add another search head to the cluster.

C.  

server.conf captain_is_adhoc_searchhead = true.

D.  

Change limits.conf value for max_searches_per_cpu to a higher value.

Discussion 0
Questions 19

Which of the following describe migration from single-site to multisite index replication?

Options:

A.  

A master node is required at each site.

B.  

Multisite policies apply to new data only.

C.  

Single-site buckets instantly receive the multisite policies.

D.  

Multisite total values should not exceed any single-site factors.

Discussion 0
Questions 20

What information is written to the __introspection log file?

Options:

A.  

File monitor input configurations.

B.  

File monitor checkpoint offset.

C.  

User activities and knowledge objects.

D.  

KV store performance.

Discussion 0
Questions 21

In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

Options:

A.  

Use the Monitoring Console.

B.  

Use the Search Head Clustering settings menu from Splunk Web on any member.

C.  

Run the splunk transfer shcluster-captain command from the current captain.

D.  

Run the splunk transfer shcluster-captain command from the member you would like to become the captain.

Discussion 0
Questions 22

When Splunk indexes data in a non-clustered environment, what kind of files does it create by default?

Options:

A.  

Index and .tsidx files.

B.  

Rawdata and index files.

C.  

Compressed and .tsidx files.

D.  

Compressed and meta data files.

Discussion 0
Questions 23

New data has been added to a monitor input file. However, searches only show older data.

Which splunkd. log channel would help troubleshoot this issue?

Options:

A.  

Modularlnputs

B.  

TailingProcessor

C.  

ChunkedLBProcessor

D.  

ArchiveProcessor

Discussion 0
Questions 24

(A customer has a Splunk Enterprise deployment and wants to collect data from universal forwarders. What is the best step to secure log traffic?)

Options:

A.  

Create signed SSL certificates and use them to encrypt data between the forwarders and indexers.

B.  

Use the Splunk provided SSL certificates to encrypt data between the forwarders and indexers.

C.  

Ensure all forwarder traffic is routed through a web application firewall (WAF).

D.  

Create signed SSL certificates and use them to encrypt data between the search heads and indexers.

Discussion 0
Questions 25

Which of the following Splunk deployments has the recommended minimum components for a high-availability search head cluster?

Options:

A.  

2 search heads, 1 deployer, 2 indexers

B.  

3 search heads, 1 deployer, 3 indexers

C.  

1 search head, 1 deployer, 3 indexers

D.  

2 search heads, 1 deployer, 3 indexers

Discussion 0
Questions 26

(Where can files be placed in a configuration bundle on a search peer that will persist after a new configuration bundle has been deployed?)

Options:

A.  

In the $SPLUNK_HOME/etc/slave-apps//local folder.

B.  

In the $SPLUNK_HOME/etc/master-apps//local folder.

C.  

Nowhere; the entire configuration bundle is overwritten with each push.

D.  

In the $SPLUNK_HOME/etc/slave-apps/_cluster/local folder.

Discussion 0
Questions 27

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

Options:

A.  

Via Splunk Web.

B.  

Directly edit SPLUNK_HOME/etc./system/local/server.conf

C.  

Run a Splunk edit cluster-config command from the CLI.

D.  

Directly edit SPLUNK_HOME/etc/system/default/server.conf

Discussion 0
Questions 28

Which of the following is a best practice to maximize indexing performance?

Options:

A.  

Use automatic source typing.

B.  

Use the Splunk default settings.

C.  

Not use pre-trained source types.

D.  

Minimize configuration generality.

Discussion 0
Questions 29

Which of the following is unsupported in a production environment?

Options:

A.  

Cluster Manager can run on the Monitoring Console instance in smaller environments.

B.  

Search Head Cluster Deployer can run on the Monitoring Console instance in smaller environments.

C.  

Search heads in a Search Head Cluster can run on virtual machines.

D.  

Indexers in an indexer cluster can run on virtual machines.

Discussion 0
Questions 30

metrics. log is stored in which index?

Options:

A.  

main

B.  

_telemetry

C.  

_internal

D.  

_introspection

Discussion 0
Questions 31

Users are asking the Splunk administrator to thaw recently-frozen buckets very frequently. What could the Splunk administrator do to reduce the need to thaw buckets?

Options:

A.  

Change f rozenTimePeriodlnSecs to a larger value.

B.  

Change maxTotalDataSizeMB to a smaller value.

C.  

Change maxHotSpanSecs to a larger value.

D.  

Change coldToFrozenDir to a different location.

Discussion 0
Questions 32

When adding or rejoining a member to a search head cluster, the following error is displayed:

Error pulling configurations from the search head cluster captain; consider performing a destructive configuration resync on this search head cluster member.

What corrective action should be taken?

Options:

A.  

Restart the search head.

B.  

Run the splunk apply shcluster-bundle command from the deployer.

C.  

Run the clean raft command on all members of the search head cluster.

D.  

Run the splunk resync shcluster-replicated-config command on this member.

Discussion 0
Questions 33

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

Options:

A.  

Data encryption between Splunk Web and splunkd.

B.  

Certificate authentication between forwarders and indexers.

C.  

Certificate authentication between Splunk Web and search head.

D.  

Data encryption for distributed search between search heads and indexers.

Discussion 0
Questions 34

How can internal logging levels in a Splunk environment be changed to troubleshoot an issue? (select all that apply)

Options:

A.  

Use the Monitoring Console (MC).

B.  

Use Splunk command line.

C.  

Use Splunk Web.

D.  

Edit log-local. cfg.

Discussion 0
Questions 35

Which Splunk server role regulates the functioning of indexer cluster?

Options:

A.  

Indexer

B.  

Deployer

C.  

Master Node

D.  

Monitoring Console

Discussion 0
Questions 36

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

Options:

A.  

Auto

B.  

None

C.  

True

D.  

False

Discussion 0
Questions 37

Which of the following would be the least helpful in troubleshooting contents of Splunk configuration files?

Options:

A.  

crash logs

B.  

search.log

C.  

btool output

D.  

diagnostic logs

Discussion 0
Questions 38

Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

Options:

A.  

site_mappings

B.  

available_sites

C.  

site_search_factor

D.  

site_replication_factor

Discussion 0
Questions 39

A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

Options:

A.  

splunk add cluster-config

B.  

splunk add cluster-master

C.  

splunk edit cluster-config

D.  

splunk edit cluster-master

Discussion 0
Questions 40

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

Options:

A.  

site_search_factor = origin:2, site1:2, total:4

B.  

site_search_factor = origin:2, site2:1, total:4

C.  

site_replication_factor = origin:2, site1:2, total:4

D.  

site_replication_factor = origin:2, site2:1, total:4

Discussion 0
Questions 41

What is the default log size for Splunk internal logs?

Options:

A.  

10MB

B.  

20 MB

C.  

25MB

D.  

30MB

Discussion 0
Questions 42

(Which of the following has no impact on search performance?)

Options:

A.  

Decreasing the phone home interval for deployment clients.

B.  

Increasing the number of indexers in the indexer tier.

C.  

Allocating compute and memory resources with Workload Management.

D.  

Increasing the number of search heads in a Search Head Cluster.

Discussion 0
Questions 43

When should a dedicated deployment server be used?

Options:

A.  

When there are more than 50 search peers.

B.  

When there are more than 50 apps to deploy to deployment clients.

C.  

When there are more than 50 deployment clients.

D.  

When there are more than 50 server classes.

Discussion 0
Questions 44

(What are the possible values for the mode attribute in server.conf for a Splunk server in the [clustering] stanza?)

Options:

A.  

[clustering] mode = peer

B.  

[clustering] mode = searchhead

C.  

[clustering] mode = deployer

D.  

[clustering] mode = manager

Discussion 0
Questions 45

Which of the following is an indexer clustering requirement?

Options:

A.  

Must use shared storage.

B.  

Must reside on a dedicated rack.

C.  

Must have at least three members.

D.  

Must share the same license pool.

Discussion 0
Questions 46

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

Options:

A.  

Check serverclass.conf of the deployment server.

B.  

Check deploymentclient.conf of the deployment client.

C.  

Check the content of SPLUNK_HOME/etc/apps of the deployment server.

D.  

Search for relevant events in splunkd.log of the deployment server.

Discussion 0
Questions 47

As a best practice, where should the internal licensing logs be stored?

Options:

A.  

Indexing layer.

B.  

License server.

C.  

Deployment layer.

D.  

Search head layer.

Discussion 0
Questions 48

(An admin removed and re-added search head cluster (SHC) members as part of patching the operating system. When trying to re-add the first member, a script reverted the SHC member to a previous backup, and the member refuses to join the cluster. What is the best approach to fix the member so that it can re-join?)

Options:

A.  

Review splunkd.log for configuration changes preventing the addition of the member.

B.  

Delete the [shclustering] stanza in server.conf and restart Splunk.

C.  

Force the member add by running splunk edit shcluster-config —force.

D.  

Clean the Raft metadata using splunk clean raft.

Discussion 0
Questions 49

(When planning user management for a new Splunk deployment, which task can be disregarded?)

Options:

A.  

Identify users authenticating with Splunk native authentication.

B.  

Identify users authenticating with Splunk using LDAP or SAML.

C.  

Determine the number of users present in Splunk log events.

D.  

Determine the capabilities users need within the Splunk environment.

Discussion 0
Questions 50

On search head cluster members, where in $splunk_home does the Splunk Deployer deploy app content by default?

Options:

A.  

etc/apps/

B.  

etc/slave-apps/

C.  

etc/shcluster/

D.  

etc/deploy-apps/

Discussion 0
Questions 51

When configuring a Splunk indexer cluster, what are the default values for replication and search factor?

Options:

A.  

replication_factor = 2search_factor = 2

B.  

replication_factor = 2search factor = 3

C.  

replication_factor = 3search_factor = 2

D.  

replication_factor = 3search factor = 3

Discussion 0
Questions 52

Which search will show all deployment client messages from the client (UF)?

Options:

A.  

index=_audit component=DC* host= | stats count by message

B.  

index=_audit component=DC* host= | stats count by message

C.  

index=_internal component= DC* host= | stats count by message

D.  

index=_internal component=DS* host= | stats count by message

Discussion 0
Questions 53

(It is possible to lose UI edit functionality after manually editing which of the following files in the deployment server?)

Options:

A.  

serverclass.conf

B.  

deploymentclient.conf

C.  

inputs.conf

D.  

deploymentserver.conf

Discussion 0
Questions 54

(Which of the following is not facilitated by the deployer?)

Options:

A.  

Replication of knowledge objects.

B.  

Deployment of baseline app configurations.

C.  

Distribute non-replicated, non-runtime configuration updates.

D.  

Migration of app and user configurations into the search head cluster.

Discussion 0
Questions 55

When designing the number and size of indexes, which of the following considerations should be applied?

Options:

A.  

Expected daily ingest volume, access controls, number of concurrent users

B.  

Number of installed apps, expected daily ingest volume, data retention time policies

C.  

Data retention time policies, number of installed apps, access controls

D.  

Expected daily ingest volumes, data retention time policies, access controls

Discussion 0
Questions 56

Users who receive a link to a search are receiving an "Unknown sid" error message when they open the link.

Why is this happening?

Options:

A.  

The users have insufficient permissions.

B.  

An add-on needs to be updated.

C.  

The search job has expired.

D.  

One or more indexers are down.

Discussion 0
Questions 57

(Which command is used to initially add a search head to a single-site indexer cluster?)

Options:

A.  

splunk edit cluster-config -mode searchhead -manager_uri https://10.0.0.1:8089 -secret changeme

B.  

splunk edit cluster-config -mode peer -manager_uri https://10.0.0.1:8089 -secret changeme

C.  

splunk add cluster-manager -manager_uri https://10.0.0.1:8089 -secret changeme

D.  

splunk add cluster-manager -mode searchhead -manager_uri https://10.0.0.1:8089 -secret changeme

Discussion 0
Questions 58

(On which Splunk components does the Splunk App for Enterprise Security place the most load?)

Options:

A.  

Indexers

B.  

Cluster Managers

C.  

Search Heads

D.  

Heavy Forwarders

Discussion 0
Questions 59

Which CLI command converts a Splunk instance to a license slave?

Options:

A.  

splunk add licenses

B.  

splunk list licenser-slaves

C.  

splunk edit licenser-localslave

D.  

splunk list licenser-localslave

Discussion 0
Questions 60

When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

Options:

A.  

1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.

B.  

1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.

C.  

1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.

D.  

1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Discussion 0