




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This study guide provides a comprehensive overview of splunk architecture, covering key concepts such as indexer clustering, search head clustering, data forwarding, and data indexing. It includes multiple-choice questions with answers, designed to help users prepare for the splunk architect exam. The guide explores topics like multisite indexer clusters, deployment server, master node, replication factor, search factor, remote storage, and search extensibility.
Typology: Exams
1 / 115
This page cannot be seen from the preview
Don't miss anything!





























































































Which of the following statements are true regarding multisite indexer clusters? A. Each site has its own set of peer nodes, but they all use the same search heads B. Each site also obeys site-specific replication and search factor rules C. The cluster administrator defines the "sites" D. B&C E. All of the above F. None of the above - CORRECT ANSWERS ✔✔D _________ controls and manages index replication, as well as distributes apps and configurations. A. Deployment Server B. Deployer Server C. Master Node D. Peer Nodes - CORRECT ANSWERS ✔✔C Peer nodes index data from inputs/forwarders and replicates data to other peer nodes as instructed by the deployment server.
True or False? - CORRECT ANSWERS ✔✔False , (as instructed by Master Node) Multisite clusters offer two key benefits: Disaster Recovery and Search Affinity. True or False? - CORRECT ANSWERS ✔✔True There can be only one Master Node, even in a multisite cluster. True or False? - CORRECT ANSWERS ✔✔True Which of the following are true statements about how a master node manages an index cluster? A. Coordinates the replicating activities of the peer nodes B. Tells search heads where to find the data C. Orchestrates remedial activities if a peer becomes unavailable D. B&C E. All of the above - CORRECT ANSWERS ✔✔E The cluster will continue to operate while the Master Node is offline.
For indexer clustering, best practice for a single-site mode is to have at least _______ nodes as a minimum. A. RF+ B. RF+ C. SF+ D. SF+2 - CORRECT ANSWERS ✔✔A Regarding Remote Storage/SmartStore, hot buckets and warm buckets are stored remotely and retrieved using the cache manager. True or False? - CORRECT ANSWERS ✔✔False Regarding SmartStore and index clustering, the indexer cluster can recover all of its warm bucket data even when the number of failed nodes equals or exceeds the replication factor. True or False? - CORRECT ANSWERS ✔✔True
All search heads in a cluster must have matching hardware specs. True or False? - CORRECT ANSWERS ✔✔True You can run the same searches, view the same dashboards and access the same search results from any search head in a cluster. True or False? - CORRECT ANSWERS ✔✔True For Search Head clustering, the requirements include at least ___ search heads and a _________. A. 2, deployment server B. 3, deployment server C. 2, deployer D. 3, deployer - CORRECT ANSWERS ✔✔D - 3, deployer Regarding Search Head clustering, the sizing guidelines for a ________ states that it must have sufficient CPU and network resources to service requests and to push configurations. A. Search head B. Deployment server C. Deployer server
When forwarding data to other systems via TCP, Splunk is unable to send raw text or syslog. True or False? - CORRECT ANSWERS ✔✔False - TCP sends raw text and syslog data SDK's help to simplify code development for languages such as Python & C#. True or False? - CORRECT ANSWERS ✔✔True : JavaScript & Java as well Hadoop searches only work in _________ installs. A. Windows B. DOS C. Town OS by Fujitsu D. Linux - CORRECT ANSWERS ✔✔D Scheduled searches leverage the functionality of Splunk alerts. True or False? - CORRECT ANSWERS ✔✔True
Splunk Analytics for Hadoop requires at least 2 Search Heads to access both Splunk index and HDFS. True or False? - CORRECT ANSWERS ✔✔False: Accesses both Splunk indexes & HDFS from single SH Search Extensibility includes: (Select all that apply) A. Indexers B. Custom Search commands C. Workflow Actions D. Custom Navigation E. Universal Forwarders F. Scripted lookups - CORRECT ANSWERS ✔✔B C D F There are over 200 endpoints REST API can interact with in a Splunk instance. True or False? - CORRECT ANSWERS ✔✔True The benefits of deferred processing on raw events until search time include: A. increase in indexing speed
D. Inverted index - CORRECT ANSWERS ✔✔B What data structure maps keywords to their locations in the rawdata. A. Index filter B. Bloom index C. Meta index D. Inverted index - CORRECT ANSWERS ✔✔D To save disk space and reduce bucket size you can enable tsidx reduction by setting attribute timePeriodInSecBeforeTsidxReduction in: A. indexes.conf B. props.conf C. limits.conf D. metrics.conf - CORRECT ANSWERS ✔✔A To estimate Indexing input volume and data capacity utilize the following metrics: (Select all that apply) A. Verify raw log sizes B. Daily, peak, retained and future volume
C. Total number of data sources D. Total number of hosts - CORRECT ANSWERS ✔✔A B C D Syslog data is estimated to be 50% of it's original data size after compression divided between the index files in the following ratio: A. rawdata 35%, tsidx 15% B. rawdata 15%, tsidx 35% C. rawdata 40%, tsidx 10% D. rawdata 10%, tsidx 40% - CORRECT ANSWERS ✔✔B Splunk apps are often chosen based on: A. Devices or technologies in the production environment B. Use cases C. Inputs D. Cost - CORRECT ANSWERS ✔✔A B C All retention settings apply on a per-index basis and all data sources within an index should have the same retention. True or False? - CORRECT ANSWERS ✔✔True
What is the default throughput setting for a UF? How do you evaluate the value? Name the .conf file that should be used in order to increase the value for high velocity sources. A. 256KBps, value=ratio of forwarders to indexers, server.conf B. 512KBps, value = ratio of indexers to forwarders, limits.conf C. 256KBps, value=ratio of forwarders to indexers, limits.conf, D. 512KBps, value=ratio of forwarders to indexers, server.conf - CORRECT ANSWERS ✔✔C You should store configurations in $SPLUNK_HOME /etc/system/local on deployment clients. True or False? - CORRECT ANSWERS ✔✔False , You should NOT store .conf files in /etc/system/local because system-level configurations on clients cannot be over-ridden with Deployment Server. You should build an install script/package for clients with only the files needed to contact the DS (basic installation + deploymentclient.conf), as clients will get the rest of the configuration information from the DS. True or False? - CORRECT ANSWERS ✔✔True
Deployer supports both push and pull mechanisms. Push apps to SH cluster members and Polled by new or restarted SH cluster members for updates. True or False? - CORRECT ANSWERS ✔✔True You can use the deployment server to directly distribute apps to peer nodes or SHC members. True or False? - CORRECT ANSWERS ✔✔False , Deployment Server is used to push apps to forwarders. Deployer is used to push apps to SHC cluster members. Use Health Check for a high-level summary of your system's performance. True or False? - CORRECT ANSWERS ✔✔True For performance monitoring and tuning your splunk environment, you can improve performance by using limits.conf True or False? - CORRECT ANSWERS ✔✔True , for example, You can set multiple search pipelines if you have unused CPU/memory resources using "batch_search_max_pipeline = 2" in [search] stanza.
line_breaker= in props.conf goes hand-in-hand with should_linemerge= True or False? - CORRECT ANSWERS ✔✔True tz= in props.conf will automatically include the timezone of the UF. True or False? - CORRECT ANSWERS ✔✔True , if you are not using the UF, it is important to include the timezone in your configs so that time is displayed properly. For improved search performance: (Select all that apply) A. Make sure the disk I/O is good. Increase CPU h/w only if needed B. Add additional search peers (indexers) C. Analyze the resource consumption on both the indexer and search tier to diagnose slow searches D. Rebalance buckets (only available in indexer clustering)
F. All of the above - CORRECT ANSWERS ✔✔F If an app contains large files that do not need to be shared with the indexers, then you can blacklist large lookup files. True or False? - CORRECT ANSWERS ✔✔True Basic sizing considerations of your Splunk deployment should include: (Select all that apply) A. Amount of incoming and stored data. B. Number of concurrent users. C. Types of searches. D. Number of scheduled searches E. Acceleration F. Specific Splunk apps G. The disk write speed of hard drives. - CORRECT ANSWERS ✔✔A B C D E F To get the most IOPS choose hard drives with: A. Data acceleration capability.
Additional Components - Sizing License Master - CPU ____, Memory ____, Disk ____, Network ____ Deployment Server - CPU ____, Memory ____, Disk ____, Network
Master Node - CPU ____, Memory ____, Disk ____, Network ____ Deployer - CPU ____, Memory ____, Disk ____, Network ____ low, med OR high 256kbps, 512kbps OR 1Gb - CORRECT ANSWERS ✔✔License Master - CPU low, Memory low, Disk low, Network 1GB Deployment Server - CPU med, Memory med, Disk low, Network 1Gb Master Node - CPU med, Memory med, Disk low, Network 1Gb Deployer - CPU low, Memory low, Disk low, Network 1Gb ES considerations for sizing & topology A. Shared SH & other roles B. Dedicated SH C. SH Cluster D. 12 CPU / 16GB RAM E. 16 CPU / 32GB RAM
F. One indexer per 500GB G. One indexer per 100GB - CORRECT ANSWERS ✔✔B, C, E, G ITSI considerations for sizing & topology A. Shared SH & other roles B. Dedicated SH / SH Cluster - optional C. Dedicated SH / SH Cluster - Required D. SH's 8 CPU / 8GB RAM E. SH's 12 CPU / 12GB RAM F. Indexers 12 CPU / 12GB RAM G. Indexers 16/32 CPU physical/logical / 32GB RAM - CORRECT ANSWERS ✔✔B, E, G HTTPS transport is not available end-to-end True or False? - CORRECT ANSWERS ✔✔False - It IS available end-to-end Create own Certs, Distributed search, Forwarder to indexer over TCP, Web browser access to Splunk Web. HTTPS transport is enabled by default between SH & Indexer in Distributed Search?