SPLK-2002 Online Practice Questions and Answers

What log file would you search to verify if you suspect there is a problem interpreting a regular expression in a monitor stanza?

A. btool.log

B. metrics.log

C. splunkd.log

D. tailing_processor.log

What is the minimum reference server specification for a Splunk indexer?

A. 12 CPU cores, 12GB RAM, 800 IOPS

B. 16 CPU cores, 16GB RAM, 800 IOPS

C. 24 CPU cores, 16GB RAM, 1200 IOPS

D. 28 CPU cores, 32GB RAM, 1200 IOPS

Which CLI command converts a Splunk instance to a license slave?

A. splunk add licenses

B. splunk list licenser-slaves

C. splunk edit licenser-localslave

D. splunk list licenser-localslave

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

A. adhoc_searchhead = true (on all members)

B. adhoc_searchhead = true (on the current captain)

C. captain_is_adhoc_searchhead = true (on all members)

D. captain_is_adhoc_searchhead = true (on the current captain)

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

A. kvstore.conf

B. collection.conf

C. collections.conf

D. kvcollections.conf

To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

A. Rolling restart completes.

B. Master node rejoins the cluster.

C. Captain joins or rejoins cluster.

D. A peer node joins or rejoins the cluster.

Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

A. Master

B. Captain

C. Deployer

D. Deployment server

Which command is used for thawing the archive bucket?

A. Splunk collect

B. Splunk convert

C. Splunk rebuild

D. Splunk dbinspect

As a best practice, where should the internal licensing logs be stored?

A. Indexing layer.

B. License server.

C. Deployment layer.

D. Search head layer.

Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

A. Identify number of scheduled or real-time searches.

B. Validate if this Technical Add-On enables event data for a data model.

C. Identify the maximum number of forwarders Technical Add-On can support.

D. Verify if Technical Add-On needs to be installed onto both a search head or indexer.