The guidance Splunk gives for estimating size on for syslog data is 50% of original data size. How does this divide between files in the index?

A.

rawdata is: 10%, tsidx is: 40%

B.

rawdata is: 15%, tsidx is: 35%

C.

rawdata is: 35%, tsidx is: 15%

D.

rawdata is: 40%, tsidx is: 10%

How does IT Service Intelligence (ITSI) impact the planning of a Splunk deployment?

A.

ITSI requires a dedicated deployment server.

B.

The amount of users using ITSI will not impact performance.

C.

ITSI in a Splunk deployment does not require additional hardware resources.

D.

Depending on the Key Performance Indicators that are being tracked, additional infrastructure may be
needed.

Stakeholders have identified high availability for searchable data as their top priority. Which of the following best addresses this requirement?

A.

Increasing the search factor in the cluster.

B.

Increasing the replication factor in the cluster.

C.

Increasing the number of search heads in the cluster.

D.

Increasing the number of CPUs on the indexers in the cluster.

Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

A.

Identify number of scheduled or real-time searches.

B.

Validate if this Technical Add-On enables event data for a data model.

C.

Identify the maximum number of forwarders Technical Add-On can support.

D.

Verify if Technical Add-On needs to be installed onto both a search head or indexer

Which Splunk internal index contains license-related events?

A.

_audit

B.

_license

C.

_internal

D.

_introspection

Which CLI command converts a Splunk instance to a license slave?

A.

splunk add licenses

B.

splunk list licenser-slaves

C.

splunk edit licenser-localslave

D.

splunk list licenser-localslave

Which command will permanently decommission a peer node operating in an indexer cluster?

A.

splunk stop -f

B.

splunk offline -f

C.

splunk offline --enforce-counts

D.

splunk decommission --enforce counts

When planning a search head cluster, which of the following is true?

A.

All search heads must use the same operating system.

B.

All search heads must be members of the cluster (no standalone search heads).

C.

The search head captain must be assigned to the largest search head in the cluster.

D.

All indexers must belong to the underlying indexer cluster (no standalone indexers).

A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf:
[clustering]
mode = master
replication_factor = 2
pass4SymmKey = password123
Which of the following statements describe this Splunk instance? (Select all that apply.)

A.

This is a multi-site cluster.

B.

This cluster's search factor is 2.

C.

This Splunk instance needs to be restarted.

D.

This instance is missing the master_uri attribute.

In an existing Splunk environment, the new index buckets that are created each day are about half the size of
the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index
files.
What additional information is needed to calculate the daily disk consumption, per indexer, if indexer
clustering is implemented?

A.

Total daily indexing volume, number of peer nodes, and number of accelerated searches. 

B.

Total daily indexing volume, number of peer nodes, replication factor, and search factor.

C.

Total daily indexing volume, replication factor, search factor, and number of search heads.

D.

Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

Which of the following describe migration from single-site to multisite index replication?

A.

A master node is required at each site.

B.

Multisite policies apply to new data only.

C.

Single-site buckets instantly receive the multisite policies.

D.

Multisite total values should not exceed any single-site factors.

In search head clustering, which of the following methods can you use to transfer captaincy to a different
member? (Select all that apply.)

A.

Use the Monitoring Console.

B.

Use the Search Head Clustering settings menu from Splunk Web on any member.

C.

Run the splunk transfer shcluster-captain command from the current captain.

D.

Run the splunk transfer shcluster-captain command from the member you would like to become the
captain.