Which of the following is an indexer clustering requirement?

A.

Must use shared storage.

B.

Must reside on a dedicated rack.

C.

Must have at least three members.

D.

Must share the same license pool.

As a best practice, where should the internal licensing logs be stored?

A.

Indexing layer.

B.

License server.

C.

Deployment layer.

D.

Search head layer.

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its
capacity. Which of the following options will provide the most search performance improvement?

A.

Replace the indexer storage to solid state drives (SSD).

B.

Add more search heads and redistribute users based on the search type.

C.

Look for slow searches and reschedule them to run during an off-peak time.

D.

Add more search peers and make sure forwarders distribute data evenly across all indexers

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

A.

Distributes apps to SHC members.

B.

Bootstraps a clean Splunk install for a SHC.

C.

Distributes non-search related and manual configuration file changes.

D.

Distributes runtime knowledge object changes made by users across the SHC.

Which command is used for thawing the archive bucket?

A.

Splunk collect

B.

Splunk convert

C.

Splunk rebuild

D.

Splunk dbinspect

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

A.

Data encryption between Splunk Web and splunkd.

B.

Certificate authentication between forwarders and indexers.

C.

Certificate authentication between Splunk Web and search head.

D.

Data encryption for distributed search between search heads and indexers

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

A.

High performance SAN should never be used.

B.

Enable NFS for storing hot and warm buckets.

C.

The recommended RAID setup is RAID 10 (1 + 0).

D.

Virtualized environments are usually preferred over bare metal for Splunk indexers.

A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

A.

splunk add cluster-config

B.

splunk add cluster-master

C.

splunk edit cluster-config

D.

splunk edit cluster-master

Which search head cluster component is responsible for pushing knowledge bundles to search peers,
replicating configuration changes to search head cluster members, and scheduling jobs across the search head
cluster?

A.

Master

B.

Captain

C.

Deployer

D.

Deployment server

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the
_introspection index. Which of the following logs are included in this index? (Select all that apply.)

A.

audit.log

B.

metrics.log

C.

disk_objects.log

D.

resource_usage.log

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

A.

Is the job scheduler for the entire SHC.

B.

Manages alert action suppressions (throttling).

C.

Synchronizes the member list with the KV store primary.

D.

Replicates the SHC's knowledge bundle to the search peers.

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

A.

Input

B.

Search

C.

Parsing

D.

Indexing