Splunk Enterprise Certified Architect - SPLK-2002 Exam Dumps

Explanation:

In an Indexer Cluster environment, configuration consistency is enforced through the Cluster Manager (formerly Master Node). Instead of configuring each indexer manually, Splunk uses configuration bundles that are pushed from the Cluster Manager to all peer nodes.

Why D is correct
The manager-apps directory on the Cluster Manager is the central location for managing cluster-wide configurations. Inside it, the special directory _cluster is used for indexer peer configurations that must be applied across the entire cluster.

When you place configuration files such as inputs.conf (for example, defining [splunktcp://9997]) in:
$SPLUNK_HOME/etc/master-apps/_cluster/local/

and then push the configuration bundle, Splunk distributes these settings to all indexer peers automatically. This ensures every current and future peer has identical configuration, maintaining cluster consistency and simplifying administration.

Why A & C are incorrect
Directly modifying configurations on individual indexer peers (either via Splunk Web UI or using CLI commands like splunk enable listen) breaks the principle of centralized cluster management. These local changes create configuration drift across peers.

Additionally, when the Cluster Manager pushes the next configuration bundle, any manual changes made directly on peers can be overwritten or ignored, leading to inconsistent behavior and potential service issues.

Why B is incorrect
The deployment-apps directory belongs to the Deployment Server, not the Cluster Manager. It is designed primarily for distributing apps to Universal Forwarders, not for managing Indexer Cluster peer configurations.

Using Deployment Server mechanisms for indexer cluster configuration is unsupported and can result in improper configuration distribution or conflicts with cluster bundle management.

Reference
Splunk Docs: Update common configuration files across the indexer cluster
Splunk Docs: Manage cluster configurations using configuration bundles
Splunk Enterprise Certified Architect: Configuration Bundle Elements and Peer Node Ingestion Management

Explanation:

Index Summarization is the only option listed that directly increases indexer storage usage because it generates and stores pre-computed summary data in addition to raw indexed events.

These summaries are used to accelerate search performance but require additional disk space on indexers.

What is Index Summarization?

Index Summarization refers to Splunk features that pre-compute and store search results so that future searches can run faster.

These summary datasets are stored on indexers and consume additional storage beyond raw event data.

There are two primary types:

1. Report Acceleration Summaries

Report acceleration pre-computes results for frequently run saved searches.

Key characteristics:

Pre-computed search results are stored in summary indexes
Configured via savedsearch acceleration settings
Stored on indexers
Storage usage depends on time range and data volume

Example configuration:

[My Accelerated Report]
action.summary_index = 1
action.summary_index._name = summary
auto_summarize = 1
auto_summarize.timespan = 1d

2. Data Model Acceleration

Data model acceleration pre-computes results for entire data models used in Pivot and CIM-based searches.

Key characteristics:

Stores accelerated data as TSIDX files
Stored directly on indexers
Configured via datamodel acceleration settings
Can consume 10–50% additional storage depending on dataset

Example configuration:

acceleration = true
acceleration.earliest_time = -1mon
acceleration.max_time = 3600

Storage Impact of Index Summarization

Regular indexed data → 100% baseline storage
Report acceleration → +10–15% additional storage
Data model acceleration → +20–50% additional storage
Total storage usage → approximately 130–165% of original dataset

This makes storage planning critical when enabling summarization features.

Why the Other Options Are Incorrect

Search Head Clustering (SHC)

SHC increases storage only on search heads, not indexers.

Storage impact is limited to:

KV Store replication
Search artifacts
Knowledge object replication

It does not increase indexer storage usage.

Indexer Discovery

Indexer discovery is a configuration mechanism that allows forwarders to dynamically discover indexers.

It does not generate or store any additional data on indexers.

Indexer Acknowledgement

Indexer Acknowledgement (ACK) ensures reliable data delivery from forwarders.

It only confirms successful indexing but does not increase stored data volume.

No additional indexer storage is required.

Feature Storage Impact Summary

Index Summarization → Affects indexer storage (YES)
SHC → No indexer storage impact
Indexer Discovery → No storage impact
Indexer Acknowledgement → No storage impact

Key Exam Point

For SPLK-2002, remember:

Index summarization (report acceleration + data model acceleration) increases indexer storage requirements due to pre-computed summary data and TSIDX files.

Reference
Splunk Docs – Accelerate data models
Splunk Docs – Report acceleration summaries

Explanation:

In Splunk Enterprise, events stored in the _internal index contain diagnostic and operational logs generated by Splunk components.

Within these events, the channel field identifies the specific logging channel or subsystem that produced the event.

Example search:
index=_internal sourcetype=splunkd

Typical channel values include:

HttpListener
Metrics
ConfReplication
SavedSplunker
TcpInputProc

These channels help administrators determine which internal subsystem or process generated a particular log entry.

Why the Other Options Are Incorrect

component

While Splunk internal logs may include a component field, the field specifically used to identify the logging channel is channel.

source

The source field identifies the originating file path of the event, such as:

source=*splunkd.log

It does not represent the logging channel.

sourcetype

The sourcetype field defines the type of data being ingested, such as:

sourcetype=splunkd

It categorizes logs but does not identify the internal logging channel.

Key Exam Point

For SPLK-2002, remember:

In _internal splunkd.log events, the channel field identifies the specific Splunk subsystem that generated the log entry.

This field is commonly used for troubleshooting and filtering internal system logs.

Reference
Splunk Enterprise Documentation – About splunkd.log and internal logging

Explanation:

In a Splunk Enterprise deployment, encryption of data in transit is achieved by enabling TLS/SSL on communication channels.

The most critical communication path is between forwarders and indexers, since this is where raw event data is transmitted into Splunk for indexing.

Forwarders → Indexers (Correct Answer)

TLS/SSL should be enabled on this path to ensure that:

Sensitive event data is encrypted during transmission
Data cannot be intercepted by unauthorized parties
Data integrity is preserved against tampering

This is the primary and most important use case for securing Splunk data in transit.

Why the Other Options Are Incorrect

Deployment server → Deployment clients
This channel is primarily used to distribute configuration bundles.

While it can be secured with TLS, it does not carry sensitive event data and is not the primary focus for data-in-transit encryption in Splunk architecture.

Indexer cluster peer nodes
Replication traffic between indexer peers can be encrypted.
However, this is not the primary data ingestion path targeted by the question.

Browser → Splunk Web
This is secured using HTTPS and protects user interface traffic.
However, it does not encrypt raw event data being ingested into Splunk.

Key Concept
For Splunk Enterprise security best practices, the most critical TLS/SSL configuration is between forwarders and indexers because it protects the core data ingestion pipeline.

Reference
Splunk Documentation – Secure Splunk communications with SSL/TLS
“Enable SSL/TLS between forwarders and indexers to encrypt data in transit and protect sensitive information during ingestion.”

Explanation:

In Splunk Enterprise, the maxDataSize setting controls the maximum size of a hot bucket before it rolls over to a warm bucket.

When configured as:

maxDataSize = auto_high_volume

on a 64-bit operating system, Splunk sets the maximum hot bucket size to:

10 GB

This setting is optimized for high-volume indexing environments where large ingestion rates are expected.

Common maxDataSize Values

auto → approximately 750 MB
auto_high_volume → approximately 10 GB
auto_low_volume → approximately 1 GB

Why the Other Options Are Incorrect

4 GB

This is not the default or configured value for auto_high_volume on 64-bit systems.

750 MB

This corresponds to the auto setting, not auto_high_volume.

1 GB

This corresponds to the auto_low_volume setting.

Key Exam Point

For SPLK-2002, remember:

On 64-bit systems:

maxDataSize = auto_high_volume → 10 GB hot bucket size

This setting impacts:

bucket rolling frequency
index performance
storage behavior
data lifecycle characteristics

Reference
Splunk Enterprise Documentation – indexes.conf specification

Explanation

The Splunk App for Enterprise Security (ES) is a premium SIEM solution built on top of Splunk Enterprise.

It relies heavily on components such as:

correlation searches
risk scoring
notable event generation
threat intelligence lookups
real-time detection rules

All of these operations are executed primarily on the search head layer.

ES also makes extensive use of:

KV Store lookups
summary indexing
accelerated data models

These are all search-head-driven operations, which significantly increase load on search heads.

Why Search Heads experience the most load

Search heads handle the majority of ES workload, including:

Hundreds of scheduled correlation searches
Asset and identity lookups
Threat intelligence data refresh searches
Risk score calculations
Notable event aggregation
Continuous dashboard queries for real-time visibility

Because of this continuous search activity, ES places the highest operational load on the search head tier.

Search Head Clustering (SHC) is strongly recommended to distribute this workload efficiently.

Why the Other Options Are Incorrect

Indexers

Indexers handle data storage and search-time processing, but ES does not significantly increase their load beyond normal search activity.

Their workload remains primarily I/O and indexing-related, not ES-specific computation.

Cluster Managers

Cluster Managers handle cluster coordination tasks such as:

bucket replication
peer management
fix-up operations

Enterprise Security does not directly increase Cluster Manager workload in any meaningful way.

Heavy Forwarders

Heavy forwarders process and route data before indexing.

Since ES operates on already indexed data, it does not impact forwarder performance significantly.

Key Concept

Enterprise Security workload is search-heavy and search-head-centric.

Most ES components depend on scheduled and real-time searches executed on the search head layer.

Reference

Splunk ES Installation and System Requirements – Sizing considerations
Splunk Validated Architectures – Enterprise Security Architecture Guide

Explanation:

When the Deployer pushes apps to Search Head Cluster (SHC) members, it supports different push modes that control how app configurations are handled during deployment.

The correct mode for pushing built-in Splunk apps is:

deployer_push_mode = local_only

This setting is configured in server.conf under the [shclustering] stanza.

Understanding Deployer Push Modes

Splunk provides multiple push modes that determine how app directories are distributed to SHC members.

local_only — Correct for Built-in Apps

deployer_push_mode = local_only

This mode:

Pushes only the contents of the local directory of an app
Ignores the default directory
Preserves built-in Splunk app defaults on SHC members
Pushes only administrator-defined customizations
Prevents overwriting shipped Splunk configurations

It is specifically used for built-in apps such as Search & Reporting or Splunk Home.

Built-in apps already exist on SHC members, so only local custom changes need to be distributed.

App Directory Behavior in local_only Mode

┌─────────────────────────────────────────────────────────────┐
│ local_only PUSH BEHAVIOR │
├─────────────────────────────────────────────────────────────┤
│ default/ → NOT pushed │
│ local/ → PUSHED to SHC members │
│ metadata/ → PUSHED to SHC members │
│ lookups/ → PUSHED to SHC members │
└─────────────────────────────────────────────────────────────┘

merge_to_default — For Custom Apps

deployer_push_mode = merge_to_default

This mode:

Merges local changes into the default directory before deployment
Used for custom or third-party apps
Can overwrite default configurations intentionally
Not recommended for built-in Splunk apps

full — Complete App Replacement

deployer_push_mode = full

This mode:

Pushes the entire app (all directories)
Completely replaces the app on SHC members
Risks overwriting default Splunk configurations
Typically used for full app redeployments

default_only — Push Only Default Directory

deployer_push_mode = default_only

This mode:

Pushes only the default directory
Ignores local customizations
Used when only baseline configurations are required

Push Mode Comparison Summary

merge_to_default → Custom apps (merge local + default)
local_only → Built-in apps (push local only)
full → Complete replacement of app
default_only → Push default configs only

Key Takeaway

Use local_only when deploying built-in Splunk apps to SHC members because it preserves the original default configurations while pushing only administrator customizations.

Configuration Example

On the Deployer server.conf:

[shclustering]
deployer_push_mode = local_only
pass4SymmKey =

Apply the bundle using:

splunk apply shcluster-bundle -target https://:8089 --answer-yes

Reference
Splunk Docs: Deploy apps to Search Head Cluster members
Splunk Docs: Deployer push modes
Splunk Docs: server.conf shclustering stanza

Explanation

In Splunk Enterprise, the correct and supported way to gracefully decommission an indexer peer from a cluster is:

splunk offline --enforce-counts

This command safely removes the peer from active cluster participation while maintaining cluster integrity.

What this command does

It ensures that the peer is removed in a controlled manner by:

Safely taking the peer out of active service
Maintaining required replication factor (RF)
Maintaining required search factor (SF)
Triggering bucket fix-up operations if needed
Preventing data loss or availability violations

The --enforce-counts flag ensures that the cluster continues to meet its data protection requirements before the peer fully exits.

Why the Other Options Are Incorrect

splunk disablepeer --enforce-counts
This is not a valid Splunk CLI command.
splunk decommission --enforce-counts
No standalone CLI command exists with this syntax for removing cluster peers.
splunk remove cluster-peers --enforce-counts
This is invalid syntax and not recognized by Splunk Enterprise.

Key Exam Point
For SPLK-2002, the correct method to gracefully remove an indexer peer while preserving cluster health is:
splunk offline --enforce-counts
This is the preferred method compared to abruptly stopping the Splunk service, which can lead to replication issues and cluster instability.

Reference
Splunk Enterprise Documentation – Taking a peer offline safely in an indexer cluster

Explanation:

Saved searches in Splunk are executed by the scheduler, which is part of the Splunk daemon running on search heads.

The scheduler.log file, located in:

$SPLUNK_HOME/var/log/splunk/

contains detailed records about scheduled search activity.

This includes:

When a saved search was scheduled to run
When the search actually started and completed
Any failures or skipped executions
Execution duration and dispatch details

To determine whether a specific saved search ran recently, you can search:

index=_internal sourcetype=scheduler

and filter by the saved search name or search ID.

Why the Other Options Are Incorrect

Option A — metrics.log

metrics.log contains operational and performance metrics such as:

CPU usage
Memory utilization
Indexing throughput
Search concurrency metrics

It does not record saved search scheduling or execution history.

Option B — kvstore.log

kvstore.log records activity related to Splunk’s KV Store, which is based on MongoDB.

It is used for:

Lookups
Search head clustering artifacts
Application data storage

It has no role in saved search scheduling or execution tracking.

Option D — btool.log

btool is a command-line troubleshooting utility used to inspect merged configuration files.

There is no standard runtime log file called btool.log in Splunk.

This option is intended as a distractor and is not related to scheduled search execution.

Key Exam Point

For SPLK-2002, remember:

scheduler.log is the authoritative source for determining whether and when a saved search executed.

The standard monitoring search is:

index=_internal sourcetype=scheduler

Reference

Splunk Docs – Saved searches
Splunk Docs – Monitor scheduled search activity using scheduler.log
SPLK-2002 Exam Blueprint – Monitoring and Troubleshooting

Explanation:
In a Splunk search head cluster (SHC), the captain is the elected member responsible for coordinating cluster activities. The captain manages scheduled searches, distributes knowledge objects, and ensures consistency across the cluster. Because of this, the captain can become a bottleneck if it is also burdened with executing scheduled searches.

To reduce the captain’s workload, Splunk provides a configuration setting:
captain_is_adhoc_searchhead = true This setting ensures that the captain only runs ad‑hoc searches (interactive queries initiated by users) and does not execute scheduled searches. By applying this setting only on the current captain, you offload scheduled searches to other search head members, reducing the captain’s overhead and improving cluster stability.
Thus, the correct answer is D. captain_is_adhoc_searchhead = true (on the current captain).

Why the Other Options Are Incorrect

A. adhoc_searchhead = true (on all members)
This option is misleading. The adhoc_searchhead setting is not the correct parameter for controlling captain workload. It is not used in Splunk’s search head cluster configuration for scheduled search distribution. Applying this across all members would not achieve the intended effect.

B. adhoc_searchhead = true (on the current captain)
Again, incorrect because adhoc_searchhead is not the right setting. The exam tests whether you know the distinction between adhoc_searchhead (not relevant here) and captain_is_adhoc_searchhead (the correct parameter).

C. captain_is_adhoc_searchhead = true (on all members)
This would incorrectly configure all members to act as ad‑hoc search heads only, preventing scheduled searches from running anywhere in the cluster. That would break functionality, as scheduled searches must run on non‑captain members. The setting is intended only for the captain, not for all members.

D. captain_is_adhoc_searchhead = true (on the current captain) Correct.
This ensures the captain does not run scheduled searches, reducing its workload while allowing other members to handle scheduled jobs.

Operational Insight
Splunk’s design philosophy for SHC is to keep the captain focused on coordination and management tasks. Scheduled searches can be resource‑intensive, and if the captain is overloaded, it may fail to properly manage cluster activities such as knowledge object replication or search scheduling. By restricting the captain to ad‑hoc searches only, you ensure:

Improved stability: The captain remains responsive for cluster coordination.

Balanced workload: Scheduled searches are distributed across non‑captain members.

High availability: If the captain fails, another member is elected, and the setting applies to the new captain.

This is a best practice in large Splunk deployments where scheduled searches are numerous and resource‑heavy.

References
Splunk Docs – Search Head Clustering
Splunk Admin Manual – Distributed Search