The master node distributes configuration bundles to peer nodes. Which directory peer nodes receive the bundles?
A. apps
B. deployment-apps
C. slave-apps
D. master-apps
Explanation:
The master node distributes configuration bundles to peer nodes in the slaveapps
directory under $SPLUNK_HOME/etc. The configuration bundle method is the only
supported method for managing common configurations and app deployment across the
set of peers. It ensures that all peers use the same versions of these files1. Bundles
typically contain a subset of files (configuration files and assets)
from $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
and $SPLUNK_HOME/etc/users2. The process of distributing knowledge bundles means
that peers by default receive nearly the entire contents of the search head’s apps3.
metrics. log is stored in which index?
A. main
B. _telemetry
C. _internal
D. _introspection
Explanation:
According to the Splunk documentation1, metrics.log is a file that contains various metrics
data for reviewing product behavior, such as pipeline, queue, thruput, and
tcpout_connections. Metrics.log is stored in the _internal index by default2, which is a
special index that contains internal logs and metrics for Splunk Enterprise. The other
options are false because:
When Splunk indexes data in a non-clustered environment, what kind of files does it create by default?
A. Index and .tsidx files.
B. Rawdata and index files.
C. Compressed and .tsidx files.
D. Compressed and meta data files.
Explanation: When Splunk indexes data in a non-clustered environment, it creates index and .tsidx files by default. The index files contain the raw data that Splunk has ingested, compressed and encrypted. The .tsidx files contain the time-series index that maps the timestamps and event IDs of the raw data. The rawdata and index files are not the correct terms for the files that Splunk creates. The compressed and .tsidx files are partially correct, but compressed is not the proper name for the index files. The compressed and meta data files are also partially correct, but meta data is not the proper name for the .tsidx files.
Which of the following strongly impacts storage sizing requirements for Enterprise Security?
A. The number of scheduled (correlation) searches.
B. The number of Splunk users configured.
C. The number of source types used in the environment.
D. The number of Data Models accelerated.
Explanation: Data Model acceleration is a feature that enables faster searches over large data sets by summarizing the raw data into a more efficient format. Data Model acceleration consumes additional disk space, as it stores both the raw data and the summarized data. The amount of disk space required depends on the size and complexity of the Data Model, the retention period of the summarized data, and the compression ratio of the data. According to the Splunk Enterprise Security Planning and Installation Manual, Data Model acceleration is one of the factors that strongly impacts storage sizing requirements for Enterprise Security. The other factors are the volume and type of data sources, the retention policy of the data, and the replication factor and search factor of the index cluster. The number of scheduled (correlation) searches, the number of Splunk users configured, and the number of source types used in the environment are not directly related to storage sizing requirements for Enterprise Security.
A search head cluster with a KV store collection can be updated from where in the KV store collection?
A. The search head cluster captain.
B. The KV store primary search head.
C. Any search head except the captain.
D. Any search head in the cluster.
Explanation:
According to the Splunk documentation1, any search head in the cluster can update the KV
store collection. The KV store collection is replicated across all the cluster members, and
any write operation is delegated to the KV store captain, who then synchronizes the
changes with the other members. The KV store primary search head is not a valid term, as
there is no such role in a search head cluster. The other options are false because:
By default, what happens to configurations in the local folder of each Splunk app when it is deployed to a search head cluster?
A. The local folder is copied to the local folder on the search heads.
B. The local folder is merged into the default folder and deployed to the search heads.
C. Only certain . conf files in the local folder are deployed to the search heads.
D. The local folder is ignored and only the default folder is copied to the search heads.
Explanation:
A search head cluster is a group of Splunk Enterprise search heads that share
configurations, job scheduling, and search artifacts1. The deployer is a Splunk Enterprise
instance that distributes apps and other configurations to the cluster members1. The local
folder of each Splunk app contains the custom configurations that override the default
settings2. The default folder of each Splunk app contains the default configurations that are
provided by the app2.
By default, when the deployer pushes an app to the search head cluster, it merges the
local folder of the app into the default folder and deploys the merged folder to the search
heads3. This means that the custom configurations in the local folder will take precedence
over the default settings in the default folder. However, this also means that the local folder
of the app on the search heads will be empty, unless the app is modified through the
search head UI3.
Option B is the correct answer because it reflects the default behavior of the deployer when
pushing apps to the search head cluster. Option A is incorrect because the local folder is
not copied to the local folder on the search heads, but merged into the default folder.
Option C is incorrect because all the .conf files in the local folder are deployed to the
search heads, not only certain ones. Option D is incorrect because the local folder is not
ignored, but merged into the default folder.
Other than high availability, which of the following is a benefit of search head clustering?
A. Allows indexers to maintain multiple searchable copies of all data.
B. Input settings are synchronized between search heads.
C. Fewer network ports are required to be opened between search heads.
D. Automatic replication of user knowledge objects.
Explanation:
According to the Splunk documentation1, one of the benefits of search head clustering is
the automatic replication of user knowledge objects, such as dashboards, reports, alerts,
and tags. This ensures that all cluster members have the same set of knowledge objects
and can serve the same search results to the users. The other options are false because:
Page 5 out of 23 Pages |
Splunk SPLK-2002 Dumps Home | Previous |