Splunk Enterprise Certified Architect - SPLK-2002 Exam Dumps

Explanation:

When securing log traffic between Universal Forwarders (UFs) and Indexers, the best practice is to implement SSL/TLS encryption using properly signed certificates.

This ensures:

Confidentiality — data in transit is encrypted and cannot be intercepted
Authentication — both forwarder and indexer verify each other's identity
Integrity — data cannot be tampered with in transit

Why Signed SSL Certificates Are the Best Approach

Splunk forwards data over TCP using the default port 9997. Without SSL, this traffic is transmitted in plaintext, making it vulnerable to:

Eavesdropping — anyone on the network can read log data
Man-in-the-middle attacks — traffic can be intercepted and modified
Spoofing — unauthorized forwarders could send data to indexers

Using properly signed SSL certificates addresses all of these risks.

┌─────────────────────────────────────────────────────────────┐
│ SECURE FORWARDER → INDEXER COMMUNICATION │
│ │
│ Universal SSL/TLS Encrypted Indexer │
│ Forwarder ════════════════════════════════► :9997 │
│ Certificate-based mutual auth │
│ │
│ ✅ Encrypted in transit │
│ ✅ Forwarder identity verified │
│ ✅ Indexer identity verified │
└─────────────────────────────────────────────────────────────┘

Implementation Overview

On the Indexer (inputs.conf)

[SSL]
serverCert = $SPLUNK_HOME/etc/certs/indexer.pem
sslPassword =
requireClientCert = true
sslVersions = tls1.2

[splunktcp-ssl:9997]
disabled = 0

On the Universal Forwarder (outputs.conf)

[tcpout]
defaultGroup = indexers_ssl

[tcpout:indexers_ssl]
server = indexer1:9997
sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem
sslPassword =
sslRootCAPath = $SPLUNK_HOME/etc/certs/ca.pem
sslVerifyServerCert = true
useSSL = true

Why the Other Options Are Wrong

Option B — Use the Splunk provided SSL certificates

Splunk ships with default self-signed certificates intended only for testing purposes.

These default certificates are:

Identical across all Splunk installations
Not unique to your environment
Publicly known and documented

Using default certificates provides encryption but not meaningful authentication.

A malicious actor could use the same default certificates to impersonate a legitimate forwarder or indexer.

Splunk explicitly recommends replacing default certificates in production environments.

Option C — Route forwarder traffic through a WAF

A Web Application Firewall (WAF) is designed to protect HTTP and HTTPS web applications.

Splunk forwarder-to-indexer traffic uses TCP on port 9997, not HTTP.

WAFs cannot properly inspect or secure Splunk’s forwarding protocol.

This approach provides no meaningful protection for Splunk forwarding traffic.

WAFs are appropriate for protecting Splunk Web interfaces, not forwarder traffic.

Option D — Encrypt data between search heads and indexers

This option secures a different communication path.

The question specifically asks about Universal Forwarder traffic sent to Indexers.

Search head to indexer communication uses different services and ports and does not protect forwarder traffic.

Securing search head communication is important, but it does not solve the problem described in the question.

Communication Path Security Summary

Communication Path → Protocol → Port → Secured By Answer A?

UF → Indexer → TCP/S2S → 9997 → Yes
Search Head → Indexer → HTTPS/REST → 8089 → No
Browser → Splunk Web → HTTPS → 8000/8443 → No
Deployment Server → UF → HTTPS → 8089 → No

Certificate Best Practices

Use a private Certificate Authority (CA) or trusted third-party CA to sign certificates
Enable mutual TLS (mTLS) using requireClientCert = true
Use TLS 1.2 or higher
Disable insecure protocols such as SSLv3, TLS 1.0, and TLS 1.1
Rotate certificates before expiration
Never use Splunk default certificates in production
Store certificate passwords securely using Splunk credential management

Reference
Splunk Docs: Configure Splunk forwarding to use SSL
Splunk Docs: About securing data in transit
Splunk Docs: SSL certificate best practices

Explanation:

In Splunk Enterprise, the Deployer is responsible for distributing apps and configuration bundles to search head cluster members.

However:

The deployer does not handle runtime replication of knowledge objects.

Knowledge object replication is handled internally by the search head cluster replication mechanism, not by the deployer.

Examples of replicated knowledge objects include:

saved searches
dashboards
lookups
macros
event types
tags

These objects are synchronized automatically among SHC members through the cluster’s captain-controlled replication process.

What the Deployer Does Facilitate

1. Deployment of baseline app configurations

Correct capability:

pushes apps and configuration bundles to SHC members

2. Distribution of non-replicated, non-runtime configuration updates

Correct capability:

distributes static configurations that are not runtime-replicated

Examples include:

authentication configurations
app binaries
default configurations

3. Migration of app and user configurations into the search head cluster

Correct capability:

used during SHC setup or migration to distribute app configurations consistently across members

Key Exam Point

For SPLK-2002, remember:

The Deployer distributes configuration bundles and apps, but does not perform runtime knowledge object replication.

Remember the distinction:

Deployer → app and configuration distribution
SHC captain and members → runtime knowledge object replication

Reference

Official documentation:
Splunk Enterprise Documentation – Use the Deployer to distribute apps and configuration updates

Explanation:

Every search in Splunk generates a search job. Once the job is completed, you can access its search.log file to troubleshoot or understand how the search was executed.

The log contains details such as:

search parsing
execution phases
warnings
errors
optimization details

Why D is correct

The proper way to access the search log is:

Go to the Job menu for the completed search
Select Inspect Job
Click the search.log link to view the log contents

This provides direct access to the specific search job’s execution log.

Why the other options are incorrect

A. index=_internal sourcetype=search

This searches internal logs generally, but does not directly access the search.log file for a specific completed search job.

It may provide search-related events, but not the detailed execution log tied to a single job.

B. Settings > Searches, reports, and alerts

This section is used to manage saved searches, reports, and alerts.

It does not provide access to a completed search job’s search.log file.

C. Activity menu > Show Search Log

This option does not exist in the Splunk Web interface.

Therefore, it is invalid.

Key Exam Point

For SPLK-2002, remember:

To troubleshoot a specific search job:

Job Menu → Inspect Job → search.log

The search.log file is the authoritative source for understanding how Splunk executed the search.

Reference

Splunk Docs — Search job inspector:

“To view the search.log for a job, select Inspect Job from the Job menu and click the search.log link.”

Explanation:

When determining where a Splunk forwarder (or any Splunk instance) is trying to send data, the most direct way is to examine internal logs that record output destination information.

index=_internal → Contains Splunk’s own operational logs
sourcetype=splunkd → Logs generated by the Splunk daemon process
metrics → Metrics log group within splunkd
destHost → Field showing the destination host (receiver/indexer) the forwarder is attempting to send data to

Running this search shows all unique destination hosts that the forwarder has tried to contact, helping troubleshoot forwarding configuration problems such as:

outputs.conf misconfigurations
load balancing issues
DNS resolution failures
network connectivity problems

Correct Search

index=_internal sourcetype=splunkd metrics destHost | dedup destHost

Why the other options are incorrect

A. index=_internal sourcetype=internal metrics destHost | dedup destHost

Incorrect because:

sourcetype=internal is not the standard sourcetype for metrics logs.

Metrics logs are stored under:

sourcetype=splunkd

This search would return little or no useful forwarding information.

B. index=_internal sourcetype=splunkd metrics inputHost | dedup inputHost

Incorrect because:

inputHost refers to the source of incoming data, not the forwarding destination.

This does not identify where the forwarder is attempting to send data.

C. index=_metrics sourcetype=splunkd metrics destHost | dedup destHost

Incorrect because:

There is no default _metrics index in standard Splunk deployments.

Metrics logs are stored in:

index=_internal

unless administrators explicitly configure a custom metrics index.

Key Exam Point

For SPLK-2002, remember:

Forwarding destination troubleshooting is typically performed using:

index=_internal
sourcetype=splunkd
destHost field

The destHost field identifies the receiver/indexer the forwarder is attempting to contact.

Reference

Splunk Docs – Troubleshoot forwarders

Splunk Answers / .conf sessions – Forwarding troubleshooting: Metrics group splunkd logs contain destHost (receiver) and sourceHost (forwarder). destHost reveals where data is being sent.

Explanation:

This question tests your knowledge of Splunk’s documented minimum hardware requirements for a distributed deployment. Splunk separates its requirements into Minimum Specifications (the bare minimum required for the software to run in a distributed environment) and Recommended Specifications (what is actually needed for production workloads).

Why D is correct
According to Splunk’s reference hardware documentation for distributed environments, the absolute minimum requirement for a Search Head is:

2 physical CPU cores
or
4 virtual CPUs (vCPUs)
clocked at 2GHz or greater

This represents the minimum supported compute specification for a distributed search head deployment.

Why A is incorrect
While a 1Gb Ethernet NIC is commonly used, Splunk explicitly recommends a 10Gb Ethernet NIC for production distributed environments to handle:

data replication traffic
search payload traffic
cluster communication efficiently

Additionally, network interface specifications are separate from minimum CPU requirements.

Why B is incorrect
Splunk Enterprise no longer supports 32-bit architectures.

Splunk requires:

64-bit (x86-64) architecture

Therefore, a 32-bit CPU architecture is unsupported and invalid for modern Splunk deployments.

Why C is incorrect
128 GB RAM is a robust enterprise-grade configuration, but it is far above the minimum requirement.
The documented minimum RAM requirement for a distributed search head is:

16 GB RAM
Production environments commonly recommend:
32 GB RAM or higher

depending on workload size and search concurrency.

Key Exam Point

For SPLK-2002, remember:

Minimum distributed search head requirements include:

2 physical CPU cores or 4 vCPUs
64-bit architecture
16 GB RAM minimum

Recommended production deployments often exceed these minimums significantly.

Reference
Splunk Docs: Reference Hardware in the Splunk Enterprise Capacity Planning Manual
Splunk Enterprise Certified Architect: Infrastructure Sizing and Hardware Specifications

Explanation:

In a Splunk Indexer Cluster, when the Cluster Master (now called Cluster Manager in 9.0+) pushes a bundle to peer nodes, certain configuration changes require a rolling restart of the indexer peers to take effect. Before applying a bundle, administrators need to know whether the push will trigger a restart — especially in production environments where availability is critical.

The command splunk validate cluster-bundle --check-restart is specifically designed to answer this question without actually applying the bundle.

💻 Breaking Down the Command

splunk validate cluster-bundle --check-restart

Component Meanings

splunk → Splunk CLI
validate cluster-bundle → Validates the current bundle on the Cluster Manager
--check-restart → Checks whether applying the bundle would trigger a rolling restart on peer nodes

This command runs on the Cluster Manager and:

✅ Validates the bundle for configuration errors
✅ Compares the new bundle against the currently applied bundle
✅ Reports whether the changes require a rolling restart or can be applied without restart
✅ Does not apply the bundle — purely a pre-flight check

🔄 What Triggers a Rolling Restart?

Not all bundle changes require a restart.

Changes That Require Restart

Changes to indexes.conf (new index, retention changes) → ✅ Yes
Changes to props.conf or transforms.conf → ✅ Yes
Adding or modifying apps with index-time configs → ✅ Yes

Changes That Do Not Require Restart

Adding new lookup files → ❌ No
Changes to search-time knowledge objects only → ❌ No

The --check-restart flag lets administrators know in advance which category the changes fall into.

❌ Why the Other Options Are Wrong

❌ A — splunk show cluster-bundle-status

splunk show cluster-bundle-status

This command shows the current status of the bundle across all peer nodes.

It reports:

which peers have received the bundle
which peers applied the bundle
whether peers are in sync

It does not predict whether a future bundle push will require a restart.

❌ B — splunk apply cluster-bundle

splunk apply cluster-bundle

This command actually pushes and applies the bundle to all peer nodes.

It does not perform a restart-impact pre-check beforehand.

Running it in production without validation could unexpectedly trigger a rolling restart.

❌ D — splunk apply cluster-bundle --validate-bundle

splunk apply cluster-bundle --validate-bundle

The --validate-bundle flag validates configuration syntax only.

It does not check whether the bundle changes require a rolling restart.

It also uses apply, making it unsuitable as a safe pre-flight validation-only workflow.

📊 Command Comparison Summary

show cluster-bundle-status → Status only → No validation → No restart prediction

apply cluster-bundle → Applies bundle → May trigger restart

validate cluster-bundle --check-restart → ✅ Validates → ✅ Checks restart requirement → ❌ Does not apply bundle

apply cluster-bundle --validate-bundle → Validates syntax only → No restart prediction

💡 Recommended Pre-Flight Workflow

Step 1:
splunk validate cluster-bundle --check-restart

Step 2:
Review output and determine whether a maintenance window is required.

Step 3:
splunk apply cluster-bundle

Step 4:
splunk show cluster-bundle-status

📚 Reference
Splunk Docs: Manage indexer cluster configuration bundles
Splunk Docs: splunk validate cluster-bundle
Splunk Docs: Rolling restart of an indexer cluster

Explanation:

In Splunk Enterprise and distributed deployments, the [clustering] stanza in server.conf defines the role of a Splunk instance within a cluster.

Valid values for:

[clustering]
mode =

include:

1. mode = peer

Used for:

Indexers participating in an indexer cluster

These instances:

store indexed data
replicate buckets
participate in cluster searches

Example:

[clustering]
mode = peer

2. mode = searchhead

Used for:

Search heads participating in clustered search environments connected to indexer clustering

These instances:

coordinate searches
communicate with clustered peers

Example:

[clustering]
mode = searchhead

3. mode = manager

Used for:

Cluster Manager (formerly Cluster Master)

Responsible for:

bucket replication management
peer orchestration
cluster health
fix-up operations

Example:

[clustering]
mode = manager

Why mode = deployer Is Incorrect

A Deployer is used in:

Search Head Clustering (SHC)

However, it is not configured via [clustering] mode=.

A deployer is configured differently and does not use:

[clustering]
mode = deployer

Therefore, deployer is not a valid value for the mode attribute in the [clustering] stanza.

Key Exam Point

For SPLK-2002, remember these valid clustering modes:

manager → Cluster Manager
peer → Indexer peer
searchhead → Search head connected to cluster

deployer is related to SHC management, but not a clustering mode value.

Reference

Official documentation:
Splunk Enterprise Documentation – Configure the server.conf file for indexer clustering

Explanation:

When planning user management for a Splunk deployment, the focus is on:

Who needs access to Splunk.
How they will authenticate (native, LDAP, SAML).
What they are allowed to do (capabilities/roles).
How users are onboarded, modified, and offboarded.

Determining the number of users present in Splunk log events (i.e., counting distinct usernames that appear in _internal indexes or other logs) is not a user management planning task. That would be:

A reporting or auditing activity done after Splunk is already deployed and ingesting data, not during planning.
Irrelevant to designing authentication, roles, or provisioning workflows.

Why the other options are valid user management planning tasks

A. Identify users authenticating with Splunk native authentication.

Valid task – You must plan which users will use Splunk’s built-in authentication (stored in authentication.conf / user-seed.conf).

B. Identify users authenticating with Splunk using LDAP or SAML.

Valid task – Many enterprises integrate with corporate directories. You must plan LDAP/SAML strategy (group mapping, role assignment, search filters).

D. Determine the capabilities users need within the Splunk environment.

Valid task – Capabilities define what users can do (e.g., admin_all_objects, restart_splunk, edit_indexer). Mapping users to roles based on needed capabilities is essential before deployment.

Reference

Splunk Docs – Plan your user management:

“Before deploying, determine authentication strategies (native, LDAP, SAML), required capabilities, and role mapping. Post-deployment, you may audit existing users from logs, but that is not part of initial planning.”

SPLK-2002 Blueprint – Security and user management: Planning tasks include authentication methods and role/capability mapping, not counting users in logs.

Explanation:

Why A is correct
The Splunk Deployment Server provides a built-in Graphical User Interface (GUI) in the Splunk Web console to easily manage server classes, apps, and clients. This GUI writes directly to the underlying serverclass.conf file. However, the UI is only capable of parsing and rendering standard, cleanly structured configurations.

If an administrator manually edits serverclass.conf on the backend and introduces advanced configuration patterns (such as complex regular expressions for filtering clients, nested stanzas, or manually ordered machine types), the Splunk Web UI will no longer be able to safely interpret or display the file. When this happens, Splunk explicitly disables UI editing functionality for that server class to prevent accidental data loss or corruption.

Why B is incorrect
The deploymentclient.conf file resides on the deployment clients (forwarders), not the deployment server. It tells the forwarder where to check in for updates, and does not dictate the deployment server's UI capabilities.

Why C is incorrect
inputs.conf manages data ingestion parameters. While editing it manually might cause data routing issues if formatted incorrectly, it does not control or break the deployment server's specific management UI.

Why D is incorrect
deploymentserver.conf is used to configure global deployment server behaviors (like enabling or disabling the deployment server functionality entirely), but it does not house the granular server class/client mappings that cause the UI edit lockout.

Reference
Splunk Docs: About deployment server and forwarder management.
Splunk Warning: Splunk documentation explicitly notes that manually editing serverclass.conf using complex filters or manual white/blacklists can result in losing the ability to use the Forwarder Management interface in Splunk Web.

Explanation:

This question tests understanding of Search Head Cluster quorum-based captain elections and how SHC behaves during a network partition (split-brain scenario).

🔢 Understanding Quorum in SHC
Splunk SHC uses the Raft Consensus Algorithm, which requires a majority quorum to elect a captain and continue operating.

The formula for quorum is:

Quorum = ⌊(Total Members / 2)⌋ + 1
Applying to this scenario:
Total SHC Members = Site1 (5) + Site2 (4) = 9 members
Quorum Required = ⌊9/2⌋ + 1 = 4 + 1 = 5 members

🌐 What Happens During a Network Failure?

When the network between Site1 and Site2 fails, the cluster splits into two partitions:

Site 1 → 5 Search Heads → 5 ≥ 5 ✅ QUORUM → Can elect captain → Cluster operates
Site 2 → 4 Search Heads → 4 < 5 ❌ NO QUORUM → Cannot elect captain → Goes read-only

Site Summary
Site 1: Has quorum (5 of 9) → Elects captain → Continues operations
Site 2: No quorum (4 of 9) → Read-only state → No captain election

✅ Why No Action Is Required on Site2
This is by design and is the expected behavior of a properly architected SHC:

Site1 has exactly the quorum needed (5 of 9) to elect a captain and continue serving searches

Site2 cannot achieve quorum (only 4 of 9) so it correctly enters a read-only/passive state, preventing split-brain scenarios

The preferred captain setting on Site1 ensures that when quorum is achieved, Site1 members are prioritized for captain election

This architecture was designed so Site1 always holds quorum in partition events

No manual intervention is needed because Raft handles this automatically

Splunk recommends an odd number of SHC members and balanced site distribution to ensure quorum safety during failures.

❌ Why the Other Options Are Wrong

❌ A — Disable elections and set a static captain, then restart the cluster
This is unnecessary — Site1 already has quorum and will elect a captain automatically.
Static captains are not recommended in production SHC deployments.

❌ C — Set a dynamic captain manually and restart
You cannot manually force captain election without quorum.
Raft will reject election attempts on Site2 due to lack of majority.

❌ D — Disable elections and set a static captain, notifying all members
Same issue as Option A — unnecessary intervention and not possible across partitioned sites.

💡 Key Design Principle

In multisite SHC design, always ensure one site holds a strict majority of members. This guarantees quorum during failure scenarios.

Good Designs

5 + 4 = 9 → Site1 quorum = 5 ✅
4 + 3 = 7 → Site1 quorum = 4 ✅

Bad Designs

4 + 4 = 8 → No quorum (5 required) ❌
3 + 3 = 6 → No quorum (4 required) ❌

📚 Reference
Splunk Docs: Search Head Clustering architecture — Raft consensus
Splunk Docs: Captain election in Search Head Clusters
Splunk Docs: Multisite Search Head Clusters