Pass the Splunk Splunk Enterprise Certified Architect SPLK-2002 Questions and answers with CertsForce

Decreasing the data model acceleration range will reduce the disk size requirements for a cluster of indexers running Splunk Enterprise Security. Data model acceleration creates tsidx files that consume disk space on the indexers. Reducing the acceleration range will limit the amount of data that is accelerated and thus save disk space. Setting the cluster search factor or replication factor to N-1 will not reduce the disk size requirements, but rather increase the risk of data loss. Increasing the number of buckets per index will also increase the disk size requirements, as each bucket has a minimum size. For more information, see Data model acceleration and Bucket size in the Splunk documentation.

When installing Enterprise Security on a Search Head Cluster (SHC), the following steps should be done: Install Enterprise Security on the deployer, and use the deployer to deploy Enterprise Security to the cluster members. Enterprise Security is a premium app that provides security analytics and monitoring capabilities for Splunk. Enterprise Security can be installed on a SHC by using the deployer, which is a standalone instance that distributes apps and other configurations to the SHC members. Enterprise Security should be installed on the deployer first, and then deployed to the cluster members using the splunk apply shcluster-bundle command. Enterprise Security should not be installed on a staging instance, because a staging instance is not part of the SHC deployment process. Enterprise Security configurations should not be copied to the deployer, because they are already included in the Enterprise Security app package.

A search head cluster is a group of Splunk Enterprise search heads that share configurations, job scheduling, and search artifacts1. The deployer is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members1. The local folder of each Splunk app contains the custom configurations that override the default settings2. The default folder of each Splunk app contains the default configurations that are provided by the app2.

By default, when the deployer pushes an app to the search head cluster, it merges the local folder of the app into the default folder and deploys the merged folder to the search heads3. This means that the custom configurations in the local folder will take precedence over the default settings in the default folder. However, this also means that the local folder of the app on the search heads will be empty, unless the app is modified through the search head UI3.

Option B is the correct answer because it reflects the default behavior of the deployer when pushing apps to the search head cluster. Option A is incorrect because the local folder is not copied to the local folder on the search heads, but merged into the default folder. Option C is incorrect because all the .conf files in the local folder are deployed to the search heads, not only certain ones. Option D is incorrect because the local folder is not ignored, but merged into the default folder.

Per the Splunk Enterprise Licensing Documentation, a license peer (such as an indexer or search head) must regularly communicate with its license manager to report data usage and verify license validity. Splunk allows a 72-hour grace period during which the peer continues operating normally even if communication with the license manager fails.

If this communication is not re-established within 72 hours, the peer enters a “license violation” state. In this state, the system blocks all search activities, including ad-hoc and scheduled searches, but continues to ingest and index data. Administrative and licensing-related searches may still run for diagnostic purposes, but user searches are restricted.

The intent of this design is to prevent prolonged unlicensed data ingestion while ensuring the environment remains compliant. The 72-hour rule is hard-coded in Splunk Enterprise and applies uniformly across license types (Enterprise or Distributed). This ensures consistent licensing enforcement across distributed deployments.

Warnings are generated during the grace period, but after 72 hours, searches are automatically blocked until the peer successfully reconnects to its license manager.

References (Splunk Enterprise Documentation):

• Managing Licenses in a Distributed Environment

• License Manager and Peer Communication Workflow

• Splunk License Enforcement and Violation Behavior

• Splunk Enterprise Admin Manual – License Usage and Reporting Policies

Primary rebalancing automatically occurs when a rolling restart completes, a master node rejoins the cluster, or a peer node joins or rejoins the cluster. These events can cause the distribution of primary buckets to become unbalanced, so the master node will initiate a rebalancing process to ensure that each peer node has roughly the same number of primary buckets. Primary rebalancing does not occur when a captain joins or rejoins the cluster, because the captain is a search head cluster component, not an indexer cluster component. The captain is responsible for search head clustering, not indexer clustering

To ensure that high-velocity sources will not have forwarding delays to the indexers, the default limit for maxKBps in limits.conf should be increased. This parameter controls the maximum bandwidth that a forwarder can use to send data to the indexers. By default, it is set to 256 KBps, which may not be sufficient for high-volume data sources. Increasing this limit can reduce the forwarding latency and improve the performance of the forwarders. However, this should be done with caution, as it may affect the network bandwidth and the indexer load. Option B is the correct answer. Option A is incorrect because the sessionTimeout parameter in server.conf controls the duration of a TCP connection between a forwarder and an indexer, not the bandwidth limit. Option C is incorrect because the forceTimebasedAutoLB parameter in outputs.conf controls the frequency of load balancing among the indexers, not the bandwidth limit. Option D is incorrect because the phoneHomelntervallnSecs parameter in deploymentclient.conf controls the interval at which a forwarder contacts the deployment server, not the bandwidth limit12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Limitsconf#limits.conf.spec 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Routeandfilterdatad#Set_the_maximum_bandwidth_usage_for_a_forwarder

 The Monitoring Console is the Splunk tool that offers a health check for administrators to evaluate the health of their Splunk deployment. The Monitoring Console provides dashboards and alerts that show the status and performance of various Splunk components, such as indexers, search heads, forwarders, license usage, and search activity. The Monitoring Console can also run health checks on the deployment and identify any issues or recommendations. The btool is a command-line tool that shows the effective settings of the configuration files, but it does not offer a health check. The DiagGen is a tool that generates diagnostic snapshots of the Splunk environment, but it does not offer a health check. The SPL Clinic is a tool that analyzes and optimizes SPL queries, but it does not offer a health check. For more information, see About the Monitoring Console in the Splunk documentation.

 A multi-site indexer cluster can be configured by directly editing SPLUNK_HOME/etc/system/local/server.conf or running a splunk edit cluster-config command from the CLI. These methods allow the administrator to specify the site attribute for each indexer node and the site_replication_factor and site_search_factor for the cluster. Configuring a multi-site indexer cluster via Splunk Web or directly editing SPLUNK_HOME/etc/system/default/server.conf are not supported methods. For more information, see Configure the indexer cluster with server.conf in the Splunk documentation.

According to the Splunk documentation1, indexer cluster knowledge bundles are the configuration files that the cluster master distributes to the peer nodes as part of the cluster configuration bundle. The knowledge bundles contain the knowledge objects, such as event types, tags, lookups, and so on, that are relevant for indexing and searching the data. The cluster master creates the knowledge bundles by merging the app-name/default and app-name/local directories from the apps that reside on the master node. The cluster master then pushes the knowledge bundles to the peer nodes, where they reside under the $SPLUNK_HOME/var/run directory2. The other options are false because:

Only app-name/local is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes. The app-name/local directory contains the local customizations of the app configuration, while the app-name/default directory contains the default app configuration3.

Only app-name/default is pushed. This is false because the cluster master pushes both the app-name/default and app-name/local directories, after merging them, to the peer nodes. The app-name/default directory contains the default app configuration, while the app-name/local directory contains the local customizations of the app configuration3.

app-name/default and app-name/local are pushed without change. This is false because the cluster master merges the app-name/default and app-name/local directories before pushing them to the peer nodes. This ensures that the peer nodes have the latest and consistent configuration of the apps3.

 A Technical Add-On (TA) is a Splunk app that contains configurations for data collection, parsing, and enrichment. It can also enable event data for a data model, which is useful for creating dashboards and reports. Therefore, before installing a TA, it is important to identify the number of scheduled or real-time searches that will use the data model, and to validate if the TA enables event data for a data model. The number of forwarders that the TA can support is not relevant, as the TA is installed on the indexer or search head, not on the forwarder. The installation location of the TA depends on the type of data and the use case, so it is not a fixed requirement