NEW QUESTION 1
Stakeholders have identified high availability for searchable data as their top priority.
Which of the following best addresses this requirement?

• A. Increasing the search factor in the cluster.
• B. Increasing the replication factor in the cluster.
• C. Increasing the number of search heads in the cluster.
• D. Increasing the number of CPUs on the indexers in the cluster.

Answer: B

NEW QUESTION 2
Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

• A. High performance SAN should never be used.
• B. Enable NFS for storing hot and warm buckets.
• C. The recommended RAID setup is RAID 10 (1 + 0).
• D. Virtualized environments are usually preferred over bare metal for Splunk indexers.

Answer: C

NEW QUESTION 3
A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

• A. Create a job server on the cluster.
• B. Add another search head to the cluster.
• C. server.conf captain_is_adhoc_searchhead = true.
• D. Change limits.conf value for max_searches_per_cpu to a higher value.

Answer: D

NEW QUESTION 4
Which of the following commands is used to clear the KV store?

• A. splunk clean kvstore
• B. splunk clear kvstore
• C. splunk delete kvstore
• D. splunk reinitialize kvstore

Answer: A

NEW QUESTION 5
When troubleshooting monitor inputs, which command checks the status of the tailed files?

• A. splunk cmd btool inputs list | tail
• B. splunk cmd btool check inputs layer
• C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
• D. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

Answer: C

NEW QUESTION 6
Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

• A. Is the job scheduler for the entire SHC.
• B. Manages alert action suppressions (throttling).
• C. Synchronizes the member list with the KV store primary.
• D. Replicates the SHC's knowledge bundle to the search peers.

Answer: AD

NEW QUESTION 7
In the deployment planning process, when should a person identify who gets to see network data?

• A. Deployment schedule
• B. Topology diagramming
• C. Data source inventory
• D. Data policy definition

Answer: C

NEW QUESTION 8
Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

• A. kvstore.conf
• B. collection.conf
• C. collections.conf
• D. kvcollections.conf

Answer: C

NEW QUESTION 9
When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

• A. Auto
• B. None
• C. True
• D. False

Answer: C

NEW QUESTION 10
When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

• A. 1. Delete Splunk Enterprise, if it exists.2. Install and initialize the instance.3. Join the SHC.
• B. 1. Install and initialize the instance.2. Delete Splunk Enterprise, if it exists.3. Join the SHC.
• C. 1. Initialize cluster rebalance operation.2. Remove master node from cluster.3. Trigger replication.
• D. 1. Trigger replication.2. Remove master node from cluster.3. Initialize cluster rebalance operation.

Answer: B

NEW QUESTION 11
Which of the following is a best practice to maximize indexing performance?

• A. Use automatic sourcetyping.
• B. Use the Splunk default settings.
• C. Not use pre-trained source types.
• D. Minimize configuration generality.

Answer: D

NEW QUESTION 12
Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

• A. Data encryption between Splunk Web and splunkd.
• B. Certificate authentication between forwarders and indexers.
• C. Certificate authentication between Splunk Web and search head.
• D. Data encryption for distributed search between search heads and indexers.

Answer: B

NEW QUESTION 13
Which Splunk Enterprise offering has its own license?

• A. Splunk Cloud Forwarder
• B. Splunk Heavy Forwarder
• C. Splunk Universal Forwarder
• D. Splunk Forwarder Management

Answer: C

NEW QUESTION 14
A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

• A. The field was extracted as a private knowledge object.
• B. The events are tagged as communicate, but are missing the network tag.
• C. The Typing Queue, which does regular expression replacements, is blocked.
• D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

Answer: D

NEW QUESTION 15
A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

• A. Via Splunk Web.
• B. Directly edit SPLUNK_HOME/etc/system/local/server.conf
• C. Run a splunk edit cluster-config command from the CLI.
• D. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Answer: AB

NEW QUESTION 16
Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

• A. site_mappings
• B. available_sites
• C. site_search_factor
• D. site_replication_factor

Answer: A

NEW QUESTION 17
Which of the following describe migration from single-site to multisite index replication?

• A. A master node is required at each site.
• B. Multisite policies apply to new data only.
• C. Single-site buckets instantly receive the multisite policies.
• D. Multisite total values should not exceed any single-site factors.

Answer: D

NEW QUESTION 18
Which of the following is true regarding Splunk Enterprise performance? (Select all that apply.)

• A. Adding search peers increases the maximum size of search results.
• B. Adding RAM to an existing search heads provides additional search capacity.
• C. Adding search peers increases the search throughput as search load increases.
• D. Adding search heads provides additional CPU cores to run more concurrent searches.

Answer: BD

NEW QUESTION 19
Which of the following are true statements about Splunk indexer clustering?

• A. All peer nodes must run exactly the same Splunk version.
• B. The master node must run the same or a later Splunk version than search heads.
• C. The peer nodes must run the same or a later Splunk version than the master node.
• D. The search head must run the same or a later Splunk version than the peer nodes.

Answer: B

NEW QUESTION 20
In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

• A. Input
• B. Search
• C. Parsing
• D. Indexing

Answer: C

NEW QUESTION 21
When should multiple search pipelines be enabled?

• A. Only if disk IOPS is at 800 or better.
• B. Only if there are fewer than twelve concurrent users.
• C. Only if running Splunk Enterprise version 6.6 or later.
• D. Only if CPU and memory resources are significantly under-utilized.

Answer: D

NEW QUESTION 22
When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

• A. Index and .tsidx files.
• B. Rawdata and index files.
• C. Compressed and .tsidx files.
• D. Compressed and meta data files.

Answer: B

NEW QUESTION 23
......