Download Splunk Enterprise Splunk Enterprise Certified Architect Practice Exam and more Exams Technology in PDF only on Docsity!
Architect Practice Exam
Question 1. Which Splunk component is primarily responsible for managing license usage across a distributed deployment? A) Indexer Cluster Master B) Search Head Deployer C) License Master D) Deployment Server Answer: C Explanation: The License Master tracks daily indexing volume and enforces license limits for all Splunk instances. Question 2. In a single‑site indexer cluster, what is the purpose of the replication factor setting? A) Number of search heads that can query the cluster B) Number of copies of each bucket stored on peer nodes C) Maximum number of indexers that can be added to the cluster D) Number of forwarders allowed to send data to the cluster Answer: B Explanation: Replication factor defines how many peer nodes hold a copy of each indexed bucket for redundancy. Question 3. Which configuration file determines the default bucket size for a Splunk index? A) indexes.conf B) limits.conf C) props.conf D) inputs.conf Answer: A
Architect Practice Exam
Explanation: indexes.conf contains settings such as maxDataSize, which controls bucket size. Question 4. When planning storage for a non‑SmartStore environment, which two raw storage calculations are required? A) Hot bucket size and cold bucket size B) Raw event size and index size multiplier C) Search head cache size and forwarder buffer size D) License usage and retention period Answer: B Explanation: You must estimate raw event size and apply the typical 1.5‑ 2 × index size multiplier to size storage. Question 5. Which forwarder type can perform field extractions and data transformations before sending data to an indexer? A) Universal Forwarder (UF) B) Heavy Forwarder (HF) C) Splunk Cloud Forwarder D) Forwarder Manager Answer: B Explanation: Heavy Forwarders have full Splunk parsing capabilities, allowing field extractions and transformations. Question 6. What is the recommended method to secure communication between forwarders and indexers? A) Use plain HTTP on port 8089 B) Enable SSL/TLS on the receiving port C) Disable authentication and rely on network firewalls
Architect Practice Exam
D) Enables automatic field extractions for all sourcetypes Answer: C Explanation: Summary indexes store pre‑computed results, making dashboard and report queries fast. Question 10. Which of the following is a best practice for designing index retention policies? A) Keep all data indefinitely to avoid data loss B) Use time‑based retention for logs and data‑based retention for metrics C) Set the same retention period for hot, warm, and cold tiers D) Disable bucket aging to improve search performance Answer: B Explanation: Time‑based retention works well for log data, while data‑based (size) retention suits metric data. Question 11. In a multisite indexer cluster, what does the “site awareness” setting control? A) Number of search heads that can query each site B) Which indexers store the license file C) Replication and search factor distribution across sites D) Forwarder load balancing between sites Answer: C Explanation: Site awareness ensures that replication and search factors are satisfied across geographic sites for HA. Question 12. Which Splunk app is required to enable Splunk Enterprise Security (ES) functionality? A) Splunk App for Windows Infrastructure
Architect Practice Exam
B) Splunk Enterprise Security C) Splunk IT Service Intelligence D) Splunk App for Stream Answer: B Explanation: The Splunk Enterprise Security app provides the security analytics framework. Question 13. Which configuration file controls the maximum number of concurrent searches per indexer? A) limits.conf B) indexes.conf C) inputs.conf D) server.conf Answer: A Explanation: limits.conf includes the max_searches_per_cpu setting that limits concurrent searches. Question 14. When using the Deployment Server, what is the purpose of a “deployment client”? A) To serve as a license master for a group of indexers B) To receive configuration bundles from the deployment server C) To host the search head clustering captain role D) To run KV Store replication across clusters Answer: B Explanation: Deployment clients (e.g., UFs) pull apps and configuration from the Deployment Server.
Architect Practice Exam
Question 18. In the context of Splunk hardware sizing, which metric is most critical for determining CPU requirements on an indexer? A) Number of forwarders attached B) Average search concurrency per hour C) Daily indexed data volume (GB) D) Number of KV Store collections Answer: C Explanation: Higher ingest rates increase CPU load for parsing and indexing; daily volume is the primary driver. Question 19. Which Splunk internal index contains audit events such as changes to user roles and authentication attempts? A) _internal B) _audit C) _telemetry D) _introspection Answer: B Explanation: The _audit index stores audit logs for security and compliance. Question 20. What is the function of the “cold” bucket tier in an index lifecycle? A) Holds the most recent data for fast search B) Stores data that is still being indexed C) Contains data that has been frozen and is read‑only D) Holds aged data that is rarely accessed but still searchable Answer: D
Architect Practice Exam
Explanation: Cold buckets are read‑only and stored on cheaper storage for infrequently accessed data. Question 21. Which of the following authentication methods can be configured to allow users to log in via corporate Active Directory? A) SAML only B) LDAP C) Local file authentication only D) OAuth 2. Answer: B Explanation: LDAP integration enables AD users to authenticate against Splunk. Question 22. What does the “search factor” setting control in an indexer cluster? A) Number of search heads that can query the cluster simultaneously B) Number of copies of each bucket that must be searchable at any time C) Number of forwarders that can send data to each peer node D) Number of license buckets allocated per day Answer: B Explanation: Search factor defines how many replica copies must be online for searches to succeed. Question 23. Which Splunk command helps you view the health of a KV Store collection? | kvstore status A) | kvstore health B) | kvstore status C) | kvstore check
Architect Practice Exam
C) Configure the new node’s indexes.conf to match the cluster policy D) Restart the search heads to recognize the new indexer Answer: C Explanation: The new peer must have matching index definitions before it can join the cluster. Question 27. Which of the following is a primary advantage of using a Heavy Forwarder in a DMZ zone? A) Minimal CPU usage because it does not parse data B) Ability to perform data masking before forwarding to the internal network C) Automatic enrollment in the Search Head Cluster D) Built‑in license management for forwarders Answer: B Explanation: Heavy Forwarders can filter, mask, or transform data before it leaves a secure zone. Question 28. What does the “max_mem_usage_mb” setting in limits.conf control? A) Maximum memory a single search job can use on a search head B) Total memory allocated to the KV Store C) Memory reserved for the indexing pipeline on an indexer D) Memory used by the Splunk web interface Answer: A Explanation: max_mem_usage_mb limits the memory a search job may consume, preventing runaway searches. Question 29. Which Splunk component is responsible for aggregating and presenting license usage metrics to administrators? A) License Master UI
Architect Practice Exam
B) Monitoring Console (MC) C) Deployment Server Dashboard D. Search Head Dashboard Answer: B Explanation: The Monitoring Console includes a License Usage panel showing daily consumption. Question 30. In the context of Splunk clustering, what is a “captain” in a Search Head Cluster? A) The node that holds the license master role B) The node that currently coordinates KV Store replication and configuration pushes C) The node that performs data ingestion for the cluster D) The node that runs the Deployment Server for the cluster Answer: B Explanation: The captain is the elected SHC member that handles KV Store replication and config distribution. Question 31. Which Splunk configuration file would you edit to change the default time zone for timestamp parsing? A) props.conf B) inputs.conf C) transforms.conf D) server.conf Answer: A Explanation: props.conf includes TZ settings that affect timestamp extraction.
Architect Practice Exam
Answer: A Explanation: | cluster status displays replication queue lengths, peer statuses, and bucket locations. Question 35. Which Splunk app provides a framework for creating security incident response workflows? A) Splunk App for Windows Infrastructure B. Splunk Enterprise Security C. Splunk IT Service Intelligence D. Splunk App for Stream Answer: B Explanation: Splunk Enterprise Security includes Incident Review and response capabilities. Question 36. In the context of Splunk licensing, what does “indexed volume” refer to? A) Number of users concurrently searching the platform B) Amount of raw data ingested before indexing C) Total size of all index files on disk D) Number of events per second processed by the forwarder Answer: B Explanation: Indexed volume is measured in GB of raw data indexed per day, the metric used for licensing. Question 37. Which of the following is the correct order of bucket lifecycle stages in Splunk? A) Warm → Hot → Cold → Frozen B. Hot → Warm → Cold → Frozen
Architect Practice Exam
C. Cold → Warm → Hot → Frozen D. Warm → Cold → Hot → Frozen Answer: B Explanation: Data moves from hot (active) to warm, then cold, and finally frozen (deleted) based on retention policies. Question 38. What is the function of the “deployment client” configuration file client.conf? A) Defines which apps a client receives from the deployment server B) Stores the license key for the client C) Configures the KV Store replication settings D) Sets the default index for the client’s data Answer: A Explanation: client.conf maps the client to serverclass definitions on the deployment server. Question 39. Which Splunk feature allows you to create reusable search logic that can be invoked with parameters? A) Event Types B) Search Macros C) Data Models D) Summary Indexes Answer: B Explanation: Search macros are defined with arguments and can be called from other searches. Question 40. When troubleshooting a forwarder that is not sending data, which log file on the forwarder should you examine first? A) splunkd.log
Architect Practice Exam
Question 43. What does the “max_concurrent_searches” setting in limits.conf control on a Search Head? A) Maximum number of searches a single user can run simultaneously B) Total number of concurrent searches allowed across all users C) Number of parallel indexer search pipelines per search head D) Maximum number of saved searches that can be scheduled Answer: B Explanation: max_concurrent_searches caps the total concurrent search jobs on the search head. Question 44. Which of the following authentication methods supports Single Sign‑On using SAML assertions? A) LDAP B) Native Splunk authentication C) SAML D) Kerberos Answer: C Explanation: SAML enables SSO by accepting signed assertions from an identity provider. Question 45. When configuring a Heavy Forwarder to act as an intermediate collector, which port is typically used for receiving data from upstream forwarders? A) 9997 (default receiving port) B) 8089 (management port) C) 514 (syslog) D) 1514 (secure syslog) Answer: A
Architect Practice Exam
Explanation: Port 9997 is the default Splunk receiving port for data forwarding. Question 46. Which Splunk feature allows you to enforce field-level access control so that certain users cannot see specific fields? A) Index-level permissions B) Role-based field restrictions (field-level security) C) Search head clustering D) License master restrictions Answer: B Explanation: Field-level security can be set in role definitions to hide fields from unauthorized users. Question 47. In the Monitoring Console, which panel provides insight into indexer queue backlog and processing latency? A) Indexing Performance B) License Usage C) Search Activity D) Forwarder Monitoring Answer: A Explanation: The Indexing Performance panel shows queue sizes, write latency, and CPU usage. Question 48. Which of the following is a valid reason to use a Deployment Server instead of configuration management tools for forwarder configs? A) To centrally manage app distribution to large numbers of UFs without scripting B) To provide high‑availability for forwarder data ingestion C) To replace the need for a license master
Architect Practice Exam
B) Allocate dedicated indexers for ITSI data models C) Disable KV Store on indexers D) Run ITSI on the same nodes as the License Master Answer: B Explanation: ITSI benefits from dedicated indexers to isolate its heavy data model workloads. Question 52. Which Splunk command can be used to view the current search head cluster configuration? A) | shcluster status B) | shcluster info C) | shcluster show D) | shcluster list Answer: A Explanation: | shcluster status displays members, captain, and config version. Question 53. What is the primary function of the “props.conf” stanza “TRANSFORMS‑myextract”? A) Defines a field extraction using a regular expression B) Maps a source type to a specific index C) Configures a data transformation pipeline for routing events D) Sets the maximum event size for parsing Answer: C Explanation: TRANSFORMS‑myextract references a stanza in transforms.conf that can route, mask, or alter events.
Architect Practice Exam
Question 54. Which Splunk internal index is used to store telemetry data about the Splunk platform itself? A) _audit B) _internal C) _telemetry D) _introspection Answer: C Explanation: _telemetry captures platform performance metrics sent to Splunk for usage analysis. Question 55. When configuring a Universal Forwarder to monitor a log file, which stanza in inputs.conf is required? A) [monitor] B) [tcp] C) [script] D) [splunktcp] Answer: A Explanation: The [monitor] stanza defines file path, index, and sourcetype for file monitoring. Question 56. Which of the following is a key consideration when planning for disaster recovery in a multisite indexer cluster? A) Using the same DNS name for all sites B) Ensuring each site has at least one copy of each bucket (replication factor) C) Disabling SSL to simplify replication traffic D) Running the License Master in every site Answer: B
