Splunk SPLK-2002 - Splunk Enterprise Certified Architect

The guidance Splunk gives for estimating size on for syslog data is 50% of original data size. This divides between files in the index as follows: rawdata is 15%, tsidx is 35%. The rawdata is the compressed version of the original data, which typically takes about 15% of the original data size. The tsidx is the index file that contains the time-series metadata and the inverted index, which typically takes about 35% of the original data size. The total size of the rawdata and the tsidx is about 50% of the original data size. For more information, see [Estimate your storage requirements] in the Splunk documentation.

According to the Splunk documentation1, multi-site clustering is an indexer cluster that spans multiple physical sites, such as data centers. Each site has its own set of peer nodes and search heads. Each site also obeys site-specific replication and search factor rules. The use cases that are made possible by multi-site clustering are:

Greatly reduce WAN traffic by preferentially searching assigned site (search affinity). This means that if you configure each site so that it has both a search head and a full set of searchable data, the search head on each site will limit its searches to local peer nodes. This eliminates any need, under normal conditions, for search heads to access data on other sites, greatly reducing network traffic between sites2.

Seamlessly route searches to a redundant site in case of a site failure. This means that by storing copies of your data at multiple locations, you maintain access to the data if a disaster strikes at one location. Multisite clusters provide site failover capability. If a site goes down, indexing and searching can continue on the remaining sites, without interruption or loss of data2.

The other options are false because:

Use blockchain technology to audit search activity from geographically dispersed data centers. This is not a use case of multi-site clustering, as Splunk does not use blockchain technology to audit search activity. Splunk uses its own internal logs and metrics to monitor and audit search activity3.

Enable a forwarder to send data to multiple indexers. This is not a use case of multi-site clustering, as forwarders can send data to multiple indexers regardless of whether they are in a single-site or multi-site cluster. This is a basic feature of forwarders that allows load balancing and high availability of data ingestion4.

Data Model acceleration is a feature that enables faster searches over large data sets by summarizing the raw data into a more efficient format. Data Model acceleration consumes additional disk space, as it stores both the raw data and the summarized data. The amount of disk space required depends on the size and complexity of the Data Model, the retention period of the summarized data, and the compression ratio of the data. According to the Splunk Enterprise Security Planning and Installation Manual, Data Model acceleration is one of the factors that strongly impacts storage sizing requirements for Enterprise Security. The other factors are the volume and type of data sources, the retention policy of the data, and the replication factor and search factor of the index cluster. The number of scheduled (correlation) searches, the number of Splunk users configured, and the number of source types used in the environment are not directly related to storage sizing requirements for Enterprise Security1

1: https://docs.splunk.com/Documentation/ES/6.6.0/Install/Plan#Storage_sizing_requirements

The correct configuration to meet the customer’s requirements is site_replication_factor = origin:1, site4:1, total:5. This means that each bucket will have one copy at the origin site, one copy at the disaster recovery site (site4), and three copies at any other sites. The total number of copies will be five, as required by the customer. The site_replication_factor determines how many copies of each bucket are stored across the sites in a multisite indexer cluster1. The site_search_factor determines how many copies of each bucket are searchable across the sites in a multisite indexer cluster2. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Configure the site replication factor 2: Configure the site search factor

A monitored log file is changing on the forwarder, but Splunk searches are not finding any new data that has been added. This could be caused by two possible reasons: B. An admin has removed the Splunk fishbucket on the forwarder. C. The last 256 bytes of the monitored file are not changing. Option B is correct because the Splunk fishbucket is a directory that stores information about the files that have been monitored by Splunk, such as the file name, size, modification time, and CRC checksum. If an admin removes the fishbucket, Splunk will lose track of the files that have been previously indexed and will not index any new data from those files. Option C is correct because Splunk uses the CRC checksum of the last 256 bytes of a monitored file to determine if the file has changed since the last time it was read. If the last 256 bytes of the file are not changing, Splunk will assume that the file is unchanged and will not index any new data from it. Option A is incorrect because running the splunk clean eventdata -index  command on the indexer will delete all the data from the specified index, but it will not affect the forwarder’s ability to send new data to the indexer. Option D is incorrect because Splunk does not use the first 256 bytes of a monitored file to determine if the file has changed12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Monitorfilesanddirectories 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Troubleshooting/Didyouloseyourfishbucket

According to the Splunk documentation1, the Splunk deployment topology is the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters. The deployment topology defines the number and type of Splunk components, such as forwarders, indexers, search heads, and deployers, that you need to install and configure for your distributed deployment. The deployment topology also determines the network and hardware requirements, the data flow and replication, the high availability and disaster recovery options, and the security and performance considerations for your deployment2. The other options are false because:

Data source inventory is not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as it is a preliminary step that helps you identify the types, formats, locations, and volumes of data that you want to collect and analyze with Splunk. Data source inventory is important for planning your data ingestion and retention strategies, but it does not directly affect the installation and configuration of Splunk components3.

Data policy definitions are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the rules and guidelines that govern how you handle, store, and protect your data. Data policy definitions are important for ensuring data quality, security, and compliance, but they do not directly affect the installation and configuration of Splunk components4.

Education and training plans are not the part of the deployment plan that is vital prior to installing Splunk indexer clusters and search head clusters, as they are the learning resources and programs that help you and your team acquire the skills and knowledge to use Splunk effectively. Education and training plans are important for enhancing your Splunk proficiency and productivity, but they do not directly affect the installation and configuration of Splunk components5.

According to the Splunk documentation1, increasing the current deployment client phone home interval can minimize performance issues by reducing the frequency of communication between the clients and the deployment server. This can also reduce the network traffic and the load on the deployment server. The other options are false because:

Modifying deploymentclient.conf to change from a Pull to Push mechanism is not possible, as Splunk does not support a Push mechanism for deployment server2.

Reducing the number of apps in the Manager Node repository will not affect the performance of the deployment server, as the apps are only downloaded when there is a change in the configuration or a new app is added3.

Decreasing the current deployment client phone home interval will increase the performance issues, as it will increase the frequency of communication between the clients and the deployment server, resulting in more network traffic and load on the deployment server1.

According to the Splunk documentation1, metrics.log is a file that contains various metrics data for reviewing product behavior, such as pipeline, queue, thruput, and tcpout_connections. Metrics.log is stored in the _internal index by default2, which is a special index that contains internal logs and metrics for Splunk Enterprise. The other options are false because:

main is the default index for user data, not internal data3.

_telemetry is an index that contains data collected by the Splunk Telemetry feature, which sends anonymous usage and performance data to Splunk4.

_introspection is an index that contains data collected by the Splunk Monitoring Console, which monitors the health and performance of Splunk components.

Splunk’s KV Store management documentation specifies that when converting a static CSV lookup to a KV Store lookup, the lookup data is stored in a MongoDB-based collection defined in collections.conf. To ensure that the KV Store lookup is replicated and available across all search head cluster members, administrators must include the attribute replicate=true within the collections.conf file.

This configuration instructs Splunk to replicate the KV Store collection’s data to all members in the Search Head Cluster (SHC), enabling consistent access and reliability across the cluster. Without this attribute, the KV Store collection would remain local to a single search head, making it unavailable for automatic lookups performed by other members.

Here’s an example configuration snippet from collections.conf:

[customer_lookup]

replicate = true

field.name = string

field.age = number

The attribute repFactor=true (mentioned in Options A and D) is unrelated to KV Store behavior—it applies to index replication, not KV Store replication. Similarly, replicate=true in lookups.conf (Option B) has no effect, as KV Store replication is controlled exclusively via collections.conf.

Once properly configured, the lookup can be defined in transforms.conf and referenced in props.conf for automatic lookup functionality.

References (Splunk Enterprise Documentation):

• KV Store Collections and Configuration – collections.conf Reference

• Managing KV Store Data in Search Head Clusters

• Automatic Lookup Configuration Using KV Store

• Splunk Enterprise Admin Manual – Distributed KV Store Replication Settings

 A Splunk job is a search process that is kicked off via a report, an alert, or a user action. A Splunk job is a child OS process manifested from the splunkd process, which is the main Splunk daemon. A Splunk job is subjected to some usage quota, such as memory, CPU, and disk space, which can be configured in the limits.conf file. A Splunk job is not a user-defined Splunk capability, as it is a core feature of the Splunk platform.