Pass the Splunk Splunk Enterprise Certified Architect SPLK-2002 Questions and answers with CertsForce

All of the forwarders would still be phoning home to the old deployment server, because the forwarders are configured to use the old deployment server in $SPLUNK_HOME/etc/system/local. This is the local configuration directory that contains the settings that override the default settings in $SPLUNK_HOME/etc/system/default. The deploymentclient.conf file in the local directory specifies the targetUri of the deployment server that the forwarder contacts for configuration updates and apps. If the forwarders have the old deployment server’s targetUri in the local directory, they will ignore the updated deploymentclient.conf file that was deployed by the old deployment server, because the local settings have higher precedence than the deployed settings. To fix this issue, the forwarders should either remove the deploymentclient.conf file from the local directory, or update it with the new deployment server’s targetUri. Option C is the correct answer. Option A is incorrect because a version mismatch between the forwarders and the new deployment server would not prevent the forwarders from phoning home to the new deployment server, as long as they are compatible versions. Option B is incorrect because the new deployment server is configured and running, and there is no indication that it is not accepting connections from the forwarders. Option D is incorrect because the pass4SymmKey is the shared secret key that the deployment server and the forwarders use to authenticate each other. It does not affect the forwarders’ ability to phone home to the new deployment server, as long as it is the same on both sides12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Updating/Configuredeploymentclients 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Wheretofindtheconfigurationfiles

In the deployment planning process, a person should identify who gets to see network data in the data policy definition step. This step involves defining the data access policies and permissions for different users and roles in Splunk. The deployment schedule step involves defining the timeline and milestones for the deployment project. The topology diagramming step involves creating a visual representation of the Splunk architecture and components. The data source inventory step involves identifying and documenting the data sources and types that will be ingested by Splunk

This is the index that records changes to .conf files as of Splunk 9.0. According to the Splunk documentation1, the _configtracker index tracks the changes made to the configuration files on the Splunk platform, such as the files in the etc directory. The _configtracker index can help monitor and troubleshoot the configuration changes, and identify the source and time of the changes1. The other options are not indexes that record changes to .conf files. Option B, _introspection, is an index that records the performance metrics of the Splunk platform, such as CPU, memory, disk, and network usage2. Option C, _internal, is an index that records the internal logs and events of the Splunk platform, such as splunkd, metrics, and audit logs3. Option D, _audit, is an index that records the audit events of the Splunk platform, such as user authentication, authorization, and activity4. Therefore, option A is the correct answer, and options B, C, and D are incorrect.

1: About the _configtracker index 2: About the _introspection index 3: About the _internal index 4: About the _audit index

The _internal index contains license-related events, such as the license usage, the license quota, the license pool, the license stack, and the license violations. These events are logged by the license manager in the license_usage.log file, which is part of the _internal index. The _audit index contains audit events, such as user actions, configuration changes, and search activity. These events are logged by the audit trail in the audit.log file, which is part of the _audit index. The _license index does not exist in Splunk, as the license-related events are stored in the _internal index. The _introspection index contains platform instrumentation data, such as the resource usage, the disk objects, the search activity, and the data ingestion. These data are logged by the introspection generator in various log files, such as resource_usage.log, disk_objects.log, search_activity.log, and data_ingestion.log, which are part of the _introspection index. For more information, see About Splunk Enterprise logging and [About the _internal index] in the Splunk documentation.

The correct Splunk deployment to have the recommended minimum components for a high-availability search head cluster is 3 search heads, 1 deployer, 3 indexers. This configuration ensures that the search head cluster has at least three members, which is the minimum number required for a quorum and failover1. The deployer is a separate instance that manages the configuration updates for the search head cluster2. The indexers are the nodes that store and index the data, and having at least three of them provides redundancy and load balancing3. The other options are not recommended, as they either have less than three search heads or less than three indexers, which reduces the availability and reliability of the cluster. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: About search head clusters 2: Use the deployer to distribute apps and configuration updates 3: About indexer clusters and index replication

 Configurations from the deployer are merged into the SPLUNK_HOME/etc/apps/APP_HOME/local directory on the search head cluster member. The deployer distributes apps and other configurations to the search head cluster members in the form of a configuration bundle. The configuration bundle contains the contents of the SPLUNK_HOME/etc/shcluster/apps directory on the deployer. When a search head cluster member receives the configuration bundle, it merges the contents of the bundle into its own SPLUNK_HOME/etc/apps directory. The configurations in the local directory take precedence over the configurations in the default directory. The SPLUNK_HOME/etc/system/local directory is used for system-level configurations, not app-level configurations. The SPLUNK_HOME/etc/apps/search/default directory is used for the default configurations of the search app, not the configurations from the deployer.

Per the Splunk Enterprise Licensing Documentation, a license peer (such as an indexer or search head) must regularly communicate with its license manager to report data usage and verify license validity. Splunk allows a 72-hour grace period during which the peer continues operating normally even if communication with the license manager fails.

If this communication is not re-established within 72 hours, the peer enters a “license violation” state. In this state, the system blocks all search activities, including ad-hoc and scheduled searches, but continues to ingest and index data. Administrative and licensing-related searches may still run for diagnostic purposes, but user searches are restricted.

The intent of this design is to prevent prolonged unlicensed data ingestion while ensuring the environment remains compliant. The 72-hour rule is hard-coded in Splunk Enterprise and applies uniformly across license types (Enterprise or Distributed). This ensures consistent licensing enforcement across distributed deployments.

Warnings are generated during the grace period, but after 72 hours, searches are automatically blocked until the peer successfully reconnects to its license manager.

References (Splunk Enterprise Documentation):

• Managing Licenses in a Distributed Environment

• License Manager and Peer Communication Workflow

• Splunk License Enforcement and Violation Behavior

• Splunk Enterprise Admin Manual – License Usage and Reporting Policies

According to Splunk’s Search Scheduler and Job Management documentation, the scheduler.log file, located within the _internal index, records the execution of scheduled and saved searches. This log provides a detailed record of when each search is triggered, how long it runs, and its success or failure status.

Each time a scheduled search runs (for example, alerts, reports, or summary index searches), an entry is written to scheduler.log with fields such as:

sid (search job ID)

app (application context)

savedsearch_name (name of the saved search)

user (owner)

status (success, skipped, or failed)

run_time and result_count

By searching the _internal index for sourcetype=scheduler (or directly viewing scheduler.log), administrators can confirm whether a specific saved search executed as expected and diagnose skipped or delayed runs due to resource contention or concurrency limits.

Other internal logs serve different purposes:

metrics.log records performance metrics.

kvstore.log tracks KV Store operations.

btool.log does not exist — btool outputs configuration data to the console, not a log file.

Hence, scheduler.log is the definitive and Splunk-documented source for validating scheduled search activity.

References (Splunk Enterprise Documentation):

• Saved Searches and Alerts – Scheduler Operation Details

• scheduler.log Reference – Monitoring Scheduled Search Execution

• Monitoring Console: Search Scheduler Health Dashboard

• Troubleshooting Skipped or Delayed Scheduled Searches

According to Splunk Enterprise administrative documentation, the btool utility is used to troubleshoot configuration settings by merging and displaying effective configurations from all configuration files (system, app, and local levels). When diagnosing license master configuration issues on a search peer or any cluster node, Splunk recommends using the command that specifically lists the license-related stanzas from server.conf.

The correct command is:

splunk cmd btool server list license --debug

This command reveals all configuration parameters under the [license] stanza, including those related to license master connections such as master_uri, pass4SymmKey, and disabled flags. The --debug flag ensures full path tracing of each configuration file, making it easy to identify conflicting or missing parameters that cause communication or validation errors between a search peer and the license master.

Other commands listed, such as btool server list clustering, are meant for diagnosing cluster configuration issues (like replication or search factors), not licensing. The check --debug command only validates syntax and structure, not specific configuration errors tied to licensing. Therefore, the correct and Splunk-documented method for diagnosing license configuration problems on a search peer is to inspect the license stanza using the btool server list license --debug command.

References (Splunk Enterprise Documentation):

• btool Command Reference – Troubleshooting Configuration Issues

• server.conf – License Configuration Parameters

• Managing Distributed License Configurations in Search Peer Clusters

• Troubleshooting License Master and Peer Connectivity

 The index-time props.conf attributes that impact indexing performance are LINE_BREAKER and SHOULD_LINEMERGE. These attributes determine how Splunk breaks the incoming data into events and whether it merges multiple events into one. These operations can affect the indexing speed and the disk space consumption. The REPORT attribute does not impact indexing performance, as it is used to apply transforms at search time. The ANNOTATE_PUNCT attribute does not impact indexing performance, as it is used to add punctuation metadata to events at search time. For more information, see [About props.conf and transforms.conf] in the Splunk documentation.