Splunk Architect Exam Study Guide with Solutions, Exams of Architecture

This study guide provides a comprehensive overview of splunk architecture, covering key concepts such as indexer clustering, search head clustering, data forwarding, and data indexing. It includes multiple-choice questions with answers, designed to help users prepare for the splunk architect exam. The guide explores topics like multisite indexer clusters, deployment server, master node, replication factor, search factor, remote storage, and search extensibility.

Typology: Exams

2024/2025

Available from 01/31/2025

Achieverr
Achieverr 🇺🇸

4.2

(14)

20K documents

1 / 115

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Splunk Architect Exam Study Guide with
solutions
Which of the following statements are true regarding multisite
indexer clusters?
A. Each site has its own set of peer nodes, but they all use the
same search heads
B. Each site also obeys site-specific replication and search factor
rules
C. The cluster administrator defines the "sites"
D. B&C
E. All of the above
F. None of the above - CORRECT ANSWERS ✔✔D
_________ controls and manages index replication, as well as
distributes apps and configurations.
A. Deployment Server
B. Deployer Server
C. Master Node
D. Peer Nodes - CORRECT ANSWERS ✔✔C
Peer nodes index data from inputs/forwarders and replicates
data to other peer nodes as instructed by the deployment server.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Splunk Architect Exam Study Guide with Solutions and more Exams Architecture in PDF only on Docsity!

Splunk Architect Exam Study Guide with

solutions

Which of the following statements are true regarding multisite indexer clusters? A. Each site has its own set of peer nodes, but they all use the same search heads B. Each site also obeys site-specific replication and search factor rules C. The cluster administrator defines the "sites" D. B&C E. All of the above F. None of the above - CORRECT ANSWERS ✔✔D _________ controls and manages index replication, as well as distributes apps and configurations. A. Deployment Server B. Deployer Server C. Master Node D. Peer Nodes - CORRECT ANSWERS ✔✔C Peer nodes index data from inputs/forwarders and replicates data to other peer nodes as instructed by the deployment server.

True or False? - CORRECT ANSWERS ✔✔False , (as instructed by Master Node) Multisite clusters offer two key benefits: Disaster Recovery and Search Affinity. True or False? - CORRECT ANSWERS ✔✔True There can be only one Master Node, even in a multisite cluster. True or False? - CORRECT ANSWERS ✔✔True Which of the following are true statements about how a master node manages an index cluster? A. Coordinates the replicating activities of the peer nodes B. Tells search heads where to find the data C. Orchestrates remedial activities if a peer becomes unavailable D. B&C E. All of the above - CORRECT ANSWERS ✔✔E The cluster will continue to operate while the Master Node is offline.

B. 2

C. 4

D. 1 - CORRECT ANSWERS ✔✔B

For indexer clustering, best practice for a single-site mode is to have at least _______ nodes as a minimum. A. RF+ B. RF+ C. SF+ D. SF+2 - CORRECT ANSWERS ✔✔A Regarding Remote Storage/SmartStore, hot buckets and warm buckets are stored remotely and retrieved using the cache manager. True or False? - CORRECT ANSWERS ✔✔False Regarding SmartStore and index clustering, the indexer cluster can recover all of its warm bucket data even when the number of failed nodes equals or exceeds the replication factor. True or False? - CORRECT ANSWERS ✔✔True

All search heads in a cluster must have matching hardware specs. True or False? - CORRECT ANSWERS ✔✔True You can run the same searches, view the same dashboards and access the same search results from any search head in a cluster. True or False? - CORRECT ANSWERS ✔✔True For Search Head clustering, the requirements include at least ___ search heads and a _________. A. 2, deployment server B. 3, deployment server C. 2, deployer D. 3, deployer - CORRECT ANSWERS ✔✔D - 3, deployer Regarding Search Head clustering, the sizing guidelines for a ________ states that it must have sufficient CPU and network resources to service requests and to push configurations. A. Search head B. Deployment server C. Deployer server

When forwarding data to other systems via TCP, Splunk is unable to send raw text or syslog. True or False? - CORRECT ANSWERS ✔✔False - TCP sends raw text and syslog data SDK's help to simplify code development for languages such as Python & C#. True or False? - CORRECT ANSWERS ✔✔True : JavaScript & Java as well Hadoop searches only work in _________ installs. A. Windows B. DOS C. Town OS by Fujitsu D. Linux - CORRECT ANSWERS ✔✔D Scheduled searches leverage the functionality of Splunk alerts. True or False? - CORRECT ANSWERS ✔✔True

Splunk Analytics for Hadoop requires at least 2 Search Heads to access both Splunk index and HDFS. True or False? - CORRECT ANSWERS ✔✔False: Accesses both Splunk indexes & HDFS from single SH Search Extensibility includes: (Select all that apply) A. Indexers B. Custom Search commands C. Workflow Actions D. Custom Navigation E. Universal Forwarders F. Scripted lookups - CORRECT ANSWERS ✔✔B C D F There are over 200 endpoints REST API can interact with in a Splunk instance. True or False? - CORRECT ANSWERS ✔✔True The benefits of deferred processing on raw events until search time include: A. increase in indexing speed

D. Inverted index - CORRECT ANSWERS ✔✔B What data structure maps keywords to their locations in the rawdata. A. Index filter B. Bloom index C. Meta index D. Inverted index - CORRECT ANSWERS ✔✔D To save disk space and reduce bucket size you can enable tsidx reduction by setting attribute timePeriodInSecBeforeTsidxReduction in: A. indexes.conf B. props.conf C. limits.conf D. metrics.conf - CORRECT ANSWERS ✔✔A To estimate Indexing input volume and data capacity utilize the following metrics: (Select all that apply) A. Verify raw log sizes B. Daily, peak, retained and future volume

C. Total number of data sources D. Total number of hosts - CORRECT ANSWERS ✔✔A B C D Syslog data is estimated to be 50% of it's original data size after compression divided between the index files in the following ratio: A. rawdata 35%, tsidx 15% B. rawdata 15%, tsidx 35% C. rawdata 40%, tsidx 10% D. rawdata 10%, tsidx 40% - CORRECT ANSWERS ✔✔B Splunk apps are often chosen based on: A. Devices or technologies in the production environment B. Use cases C. Inputs D. Cost - CORRECT ANSWERS ✔✔A B C All retention settings apply on a per-index basis and all data sources within an index should have the same retention. True or False? - CORRECT ANSWERS ✔✔True

What is the default throughput setting for a UF? How do you evaluate the value? Name the .conf file that should be used in order to increase the value for high velocity sources. A. 256KBps, value=ratio of forwarders to indexers, server.conf B. 512KBps, value = ratio of indexers to forwarders, limits.conf C. 256KBps, value=ratio of forwarders to indexers, limits.conf, D. 512KBps, value=ratio of forwarders to indexers, server.conf - CORRECT ANSWERS ✔✔C You should store configurations in $SPLUNK_HOME /etc/system/local on deployment clients. True or False? - CORRECT ANSWERS ✔✔False , You should NOT store .conf files in /etc/system/local because system-level configurations on clients cannot be over-ridden with Deployment Server. You should build an install script/package for clients with only the files needed to contact the DS (basic installation + deploymentclient.conf), as clients will get the rest of the configuration information from the DS. True or False? - CORRECT ANSWERS ✔✔True

Deployer supports both push and pull mechanisms. Push apps to SH cluster members and Polled by new or restarted SH cluster members for updates. True or False? - CORRECT ANSWERS ✔✔True You can use the deployment server to directly distribute apps to peer nodes or SHC members. True or False? - CORRECT ANSWERS ✔✔False , Deployment Server is used to push apps to forwarders. Deployer is used to push apps to SHC cluster members. Use Health Check for a high-level summary of your system's performance. True or False? - CORRECT ANSWERS ✔✔True For performance monitoring and tuning your splunk environment, you can improve performance by using limits.conf True or False? - CORRECT ANSWERS ✔✔True , for example, You can set multiple search pipelines if you have unused CPU/memory resources using "batch_search_max_pipeline = 2" in [search] stanza.

line_breaker= in props.conf goes hand-in-hand with should_linemerge= True or False? - CORRECT ANSWERS ✔✔True tz= in props.conf will automatically include the timezone of the UF. True or False? - CORRECT ANSWERS ✔✔True , if you are not using the UF, it is important to include the timezone in your configs so that time is displayed properly. For improved search performance: (Select all that apply) A. Make sure the disk I/O is good. Increase CPU h/w only if needed B. Add additional search peers (indexers) C. Analyze the resource consumption on both the indexer and search tier to diagnose slow searches D. Rebalance buckets (only available in indexer clustering)

E. B & D

F. All of the above - CORRECT ANSWERS ✔✔F If an app contains large files that do not need to be shared with the indexers, then you can blacklist large lookup files. True or False? - CORRECT ANSWERS ✔✔True Basic sizing considerations of your Splunk deployment should include: (Select all that apply) A. Amount of incoming and stored data. B. Number of concurrent users. C. Types of searches. D. Number of scheduled searches E. Acceleration F. Specific Splunk apps G. The disk write speed of hard drives. - CORRECT ANSWERS ✔✔A B C D E F To get the most IOPS choose hard drives with: A. Data acceleration capability.

Additional Components - Sizing License Master - CPU ____, Memory ____, Disk ____, Network ____ Deployment Server - CPU ____, Memory ____, Disk ____, Network


Master Node - CPU ____, Memory ____, Disk ____, Network ____ Deployer - CPU ____, Memory ____, Disk ____, Network ____ low, med OR high 256kbps, 512kbps OR 1Gb - CORRECT ANSWERS ✔✔License Master - CPU low, Memory low, Disk low, Network 1GB Deployment Server - CPU med, Memory med, Disk low, Network 1Gb Master Node - CPU med, Memory med, Disk low, Network 1Gb Deployer - CPU low, Memory low, Disk low, Network 1Gb ES considerations for sizing & topology A. Shared SH & other roles B. Dedicated SH C. SH Cluster D. 12 CPU / 16GB RAM E. 16 CPU / 32GB RAM

F. One indexer per 500GB G. One indexer per 100GB - CORRECT ANSWERS ✔✔B, C, E, G ITSI considerations for sizing & topology A. Shared SH & other roles B. Dedicated SH / SH Cluster - optional C. Dedicated SH / SH Cluster - Required D. SH's 8 CPU / 8GB RAM E. SH's 12 CPU / 12GB RAM F. Indexers 12 CPU / 12GB RAM G. Indexers 16/32 CPU physical/logical / 32GB RAM - CORRECT ANSWERS ✔✔B, E, G HTTPS transport is not available end-to-end True or False? - CORRECT ANSWERS ✔✔False - It IS available end-to-end Create own Certs, Distributed search, Forwarder to indexer over TCP, Web browser access to Splunk Web. HTTPS transport is enabled by default between SH & Indexer in Distributed Search?