Free Splunk SPLK-2002 Practice Exam with Questions & Answers | Set: 3

The Indexer Discovery feature enables forwarders to dynamically connect to the available peer nodes in an indexer cluster. To use this feature, the manager node must be configured with the [indexer_discovery] stanza and a pass4SymmKey value. The forwarders must also be configured with the same pass4SymmKey value and the master_uri of the manager node. The pass4SymmKey value must be encrypted using the splunk _encrypt command. Therefore, option A indicates that the Indexer Discovery feature has not been fully configured on the manager node, because the pass4SymmKey value is not encrypted. The other options are not related to the Indexer Discovery feature. Option B shows the configuration of a forwarder that is part of an indexer cluster. Option C shows the configuration of a manager node that is part of an indexer cluster. Option D shows an invalid configuration of the [indexer_discovery] stanza, because the pass4SymmKey value is not encrypted and does not match the forwarders’ pass4SymmKey value12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/indexerdiscovery 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Secureyourconfigurationfiles#Encrypt_the_pass4SymmKey_setting_in_server.conf

According to the Splunk documentation1, determining data capacity for an index is a complex task that depends on several factors, such as:

Average size of event data. This is the average number of bytes per event that you send to Splunk. The larger the events, the more storage space they require and the more indexing time they consume.

Number of data sources. This is the number of different types of data that you send to Splunk, such as logs, metrics, network packets, etc. The more data sources you have, the more diverse and complex your data is, and the more processing and parsing Splunk needs to do to index it.

Peak data rates. This is the maximum amount of data that you send to Splunk per second, minute, hour, or day. The higher the peak data rates, the more load and pressure Splunk faces to index the data in a timely manner.

The other option is false because:

Number of concurrent searches on data. This is not a factor that affects daily indexing volume, as it is related to the search performance and the search scheduler, not the indexing process. However, it can affect the overall resource utilization and the responsiveness of Splunk2.

Decreasing the data model acceleration range will reduce the disk size requirements for a cluster of indexers running Splunk Enterprise Security. Data model acceleration creates tsidx files that consume disk space on the indexers. Reducing the acceleration range will limit the amount of data that is accelerated and thus save disk space. Setting the cluster search factor or replication factor to N-1 will not reduce the disk size requirements, but rather increase the risk of data loss. Increasing the number of buckets per index will also increase the disk size requirements, as each bucket has a minimum size. For more information, see Data model acceleration and Bucket size in the Splunk documentation.

 The tailing_processor.log file would be the best place to search if you suspect there is a problem interpreting a regular expression in a monitor stanza. This log file contains information about how Splunk monitors files and directories, including any errors or warnings related to parsing the monitor stanza. The splunkd.log file contains general information about the Splunk daemon, but it may not have the specific details about the monitor stanza. The btool.log file contains information about the configuration files, but it does not log the runtime behavior of the monitor stanza. The metrics.log file contains information about the performance metrics of Splunk, but it does not log the event breaking issues. For more information, see About Splunk Enterprise logging in the Splunk documentation.

According to the Splunk documentation1, indexer cluster knowledge bundles are the configuration files that the cluster master distributes to the peer nodes as part of the cluster configuration bundle. The knowledge bundles contain the knowledge objects, such as event types, tags, lookups, and so on, that are relevant for indexing and searching the data. The cluster master creates the knowledge bundles by merging the app-name/default and app-name/local directories from the apps that reside on the master node. The cluster master then pushes the knowledge bundles to the peer nodes, where they reside under the $SPLUNK_HOME/var/run directory2. The other options are false because:

Only app-name/local is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes. The app-name/local directory contains the local customizations of the app configuration, while the app-name/default directory contains the default app configuration3.

Only app-name/default is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes. The app-name/default directory contains the default app configuration, while the app-name/local directory contains the local customizations of the app configuration3.

app-name/default and app-name/local are pushed without change. This is false because the cluster master merges the app-name/default and app-name/local directories before pushing them to the peer nodes. This ensures that the peer nodes have the latest and consistent configuration of the apps3.

The correct topology to ensure a scalable and performant deployment for the customer’s use case is two search head clusters, one for ITSI and one for ES. This configuration provides high availability, load balancing, and isolation for each Splunk app. According to the Splunk documentation1, ITSI and ES should not be installed on the same search head or search head cluster, as they have different requirements and may interfere with each other. Having two separate search head clusters allows each app to have its own dedicated resources and configuration, and avoids potential conflicts and performance issues1. The other options are not recommended, as they either have only one search head or search head cluster, which reduces the availability and scalability of the deployment, or they have both ITSI and ES installed on the same search head or search head cluster, which violates the best practices and may cause problems. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Splunk IT Service Intelligence and Splunk Enterprise Security compatibility

Per the Search Head Clustering (SHC) Deployer Administration Guide, the deployer is responsible for distributing configuration bundles, apps, and baseline settings to all members of a Search Head Cluster (SHC). However, the replication of knowledge objects (Option A) is not handled by the deployer.

Knowledge object replication—covering items such as saved searches, dashboards, lookups, and alerts—is managed internally within the Search Head Cluster using the captain node. The captain coordinates replication among all SHC members using a mechanism called Knowledge Object Replication Framework, which ensures that user-created or runtime configuration changes (e.g., dashboards saved in Splunk Web) are automatically shared across members.

In contrast, the deployer’s primary responsibilities include:

Deploying and updating baseline app configurations (Option B).

Distributing non-replicated, non-runtime configuration updates like props, transforms, and inputs (Option C).

Assisting in the initial migration of apps and configurations into a cluster during setup (Option D).

Therefore, while the deployer handles static configuration management, knowledge object replication is performed dynamically by the SHC itself under captain control, making Option A the correct answer.

References (Splunk Enterprise Documentation):

• Search Head Clustering: How the Deployer Works

• Managing Knowledge Object Replication in Search Head Clusters

• Splunk Enterprise Admin Manual – Deployer vs. Captain Responsibilities

• Distributing Apps and Configurations with the Deployer

According to the Indexer Clustering Administration Guide, the most efficient and Splunk-recommended way to configure and manage receiving ports for all clustered indexers (peer nodes) is through the Cluster Manager (previously known as the Master Node).

In a clustered environment, configuration changes that affect all peer nodes—such as receiving port definitions—should be managed centrally. The correct procedure is to define the inputs configuration file (inputs.conf) within the Cluster Manager’s manager-apps directory. Specifically, the configuration is placed in:

$SPLUNK_HOME/etc/manager-apps/_cluster/local/inputs.conf

and then deployed to all peers using the configuration bundle push mechanism.

This centralized approach ensures consistency across all peer nodes, prevents manual configuration drift, and allows Splunk to maintain uniform ingestion behavior across the cluster.

Running splunk enable listen on each peer (Option C) or manually configuring inputs via Splunk Web (Option A) introduces inconsistencies and is not recommended in clustered deployments. Using the deployment-apps path (Option B) is meant for deployment servers, not for cluster management.

References (Splunk Enterprise Documentation):

• Indexer Clustering: Configure Peer Nodes via Cluster Manager

• Deploy Configuration Bundles from the Cluster Manager

• inputs.conf Reference – Receiving Data Configuration

• Splunk Enterprise Admin Manual – Managing Clustered Indexers

 The following statements are true regarding Splunk Enterprise performance:

Adding search peers increases the search throughput as search load increases. This is because adding more search peers distributes the search workload across more indexers, which reduces the load on each indexer and improves the search speed and concurrency.

Adding search heads provides additional CPU cores to run more concurrent searches. This is because adding more search heads increases the number of search processes that can run in parallel, which improves the search performance and scalability. The following statements are false regarding Splunk Enterprise performance:

Adding search peers does not increase the maximum size of search results. The maximum size of search results is determined by the maxresultrows setting in the limits.conf file, which is independent of the number of search peers.

Adding RAM to an existing search head does not provide additional search capacity. The search capacity of a search head is determined by the number of CPU cores, not the amount of RAM. Adding RAM to a search head may improve the search performance, but not the search capacity. For more information, see Splunk Enterprise performance in the Splunk documentation.

Splunk’s KV Store management documentation specifies that when converting a static CSV lookup to a KV Store lookup, the lookup data is stored in a MongoDB-based collection defined in collections.conf. To ensure that the KV Store lookup is replicated and available across all search head cluster members, administrators must include the attribute replicate=true within the collections.conf file.

This configuration instructs Splunk to replicate the KV Store collection’s data to all members in the Search Head Cluster (SHC), enabling consistent access and reliability across the cluster. Without this attribute, the KV Store collection would remain local to a single search head, making it unavailable for automatic lookups performed by other members.

Here’s an example configuration snippet from collections.conf:

[customer_lookup]

replicate = true

field.name = string

field.age = number

The attribute repFactor=true (mentioned in Options A and D) is unrelated to KV Store behavior—it applies to index replication, not KV Store replication. Similarly, replicate=true in lookups.conf (Option B) has no effect, as KV Store replication is controlled exclusively via collections.conf.

Once properly configured, the lookup can be defined in transforms.conf and referenced in props.conf for automatic lookup functionality.

References (Splunk Enterprise Documentation):

• KV Store Collections and Configuration – collections.conf Reference

• Managing KV Store Data in Search Head Clusters

• Automatic Lookup Configuration Using KV Store

• Splunk Enterprise Admin Manual – Distributed KV Store Replication Settings