Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

SPLUNK Enterprise Certified Architect Sample Questions

  1. Home
  3. SPLUNK Enterprise Certified Architect Sample Questions
SPLUNK Enterprise Certified Architect Sample Questions

The Splunk Enterprise Certified Architect exam is the last step in earning the Splunk Enterprise Certified Architect certification. The Splunk Enterprise Certified Architect exam assesses a candidate’s knowledge and skills in Splunk Deployment Methodology as well as best practices for planning, data collection, sizing, managing, and troubleshooting a standard with indexer and search head clustering.

Splunk Enterprise Certified Architect responsibilities

A Splunk Enterprise Certified Architect understands Splunk Deployment Methodology and best practices for distributed deployment planning, data collection, and sizing and can manage and troubleshoot a standard distributed deployment with indexer and search head clustering. This certification proves a person’s ability to deploy, manage, and troubleshoot complex Splunk Enterprise environments.

SPLUNK Enterprise Certified Architect Sample Questions

Question 1

Which of the following will result in the greatest reduction in disk size requirements for a Splunk Enterprise Security cluster of N indexers?

  • A. Decrease the cluster search factor to N-1.
  • B. Increasing the number of buckets per index.
  • C. Reducing the acceleration range of the data model.
  • D. Increasing the replication factor of the cluster to N-1.

Correct Answer – D

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements

Question 2

The high availability of searchable data has been identified as the top priority by stakeholders. Which of the following options best meets this requirement?

  • A. Increasing the cluster’s search factor.
  • B. Increasing the cluster’s replication factor.
  • C. Increasing the cluster’s search head count.
  • D. Increasing the number of CPUs on the cluster’s indexers.

Correct Answer – B

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCarchitecture

Question 3

The Monitoring Console’s search dashboards indicate that the distributed deployment is nearing capacity. Which of the following options will improve search performance the most?

  • A. Switch to solid-state drives for indexer storage (SSD).
  • B. Increase the number of search heads and redistribute users based on the type of search.
  • C. Identify slow searches and reschedule them to run during off-peak hours.
  • D. Increase the number of search peers and ensure that forwarders distribute data evenly across all indexers.

Correct Answer – C

Question 4

The Splunk deployment at Buttercup Games was inherited by a Splunk architect, and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs are routed through the same infrastructure: some data is routed through heavy forwarders, while others are managed by another department.
Which of the following items could be the source of this problem?

  • A. The search head and indexers may have different configurations.
  • B. The data inputs on all forwarders are incorrectly configured.
  • C. The indexers may be configured differently than the heavy forwarders.
  • D. The other department’s forwarders are an older version than the rest.

Correct Answer – C

Question 5

A 500GB Enterprise license has been installed by a customer. On the same license master, they also purchased and installed a 300GB no enforcement license. How much data can the customer consume before search is disabled?

  • A. 300GB. Search is disabled after this point.
  • B. 500GB. Search is disabled after this point.
  • C. 800GB. Search is disabled after this point.
  • D. Search is not restricted. Violations continue to be recorded.

Correct Answer – D

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/TypesofSplunklicenses

Question 6

In a Search Head Cluster (SHC), what does the deployer do? (Choose all that apply.)

  • A. Provides apps to SHC members.
  • B. Creates a clean Splunk installation for a SHC.
  • C. Distributes changes to non-search related and manual configuration files.
  • D. Distributes user-made runtime knowledge object changes across the SHC.

Correct Answer – A

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/SHCdeploymentoverview

Question 7

What should the SHOULD LINEMERGE attribute be set to when using the props.conf LINE BREAKER attribute to delimit multi-line events?

  • A. Auto
  • B. None
  • C. Correct
  • D. Incorrect

C

Reference:
https://answers.splunk.com/answers/6926/how-to-keep-data-together-as-one-event.html

Question 8

Which of the following should a deployment plan include?

  • A. Disaster recovery and business continuity plans.
  • B. Detailed logging information and data source inventory.
  • C. Diagrams of the IT environment’s current and future topology.
  • D. A comprehensive list of direct and indirect stakeholders.

Correct Answer – D

Reference:
https://docs.splunk.com/Documentation/CoE/ssf/Handbook/StakeholderReg

Question 9

Which of the following can be used to configure a multisite indexer cluster? (Choose all that apply.)

  • A. Through Splunk Web.
  • B. Edit SPLUNK HOME/etc/system/local/server.conf directly.
  • C. Use the CLI to execute the splunk edit cluster-config command.
  • D. Edit SPLUNK HOME/etc/system/default/server.conf directly.

Correct Answer – A, B

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Enableclustersindetail

Question 10

What index-time props.conf attributes have an effect on indexing performance? (Choose all that apply.)

  • A. REPORT
  • B. LINE BREAKER
  • C. ANNOTATE PUNCT
  • D. SHOULD LINEMERGE

Correct Answer – B, D

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/Configureeventlinebreakin

Question 11

Which of the following serverclass.conf client filters are available? (Choose all that apply.)

  • A. Domain name.
  • B. Internet Protocol (IP) address.
  • C. Splunk server role.
  • D. Platform (machine type).

Correct Answer – A, B

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Filterclients#Define_filters_through_serverclass.conf

Question 12

What log file would you look for if you suspect a problem with interpreting a regular expression in a monitor stanza?

  • A. btool.log
  • B. metrics.log
  • C. splunkd.log
  • D. tailing processor.log

Correct Answer – C

Reference:
https://answers.splunk.com/answers/479312/how-to-edit-inputsconf-to-monitor-multiple-files-w-1.html

Question 13

Which Splunk tool provides administrators with a health check to evaluate the health of their Splunk deployment?

  • A. btool
  • B. DiagGen
  • C. SPL Clinic
  • D. Monitoring Station

D

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/DMC/DMCoverview

Question 14

Which configuration of a four-site indexer cluster stores two searchable copies at the origin site, one searchable copy at site 2, and a total of four searchable copies?

  • A. origin:2, site1:2, total:4 site search factor
  • B. origin:2, site2:1, total:4 site search factor
  • C. site replication factor = 2 for origin, 1 for site 1, and total:4
  • D. origin:2, site2:1, total:4 site replication factor

Correct Answer – D

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Sitereplicationfactor

Question 15

Which Splunk Enterprise product requires its own license?

  • A. Splunk Cloud Forwarder
  • B. Splunk Heavy Forwarder
  • C. Splunk Universal Forwarder
  • D. Splunk Forwarder Management

Correct Answer – C

Reference:
https://docs.splunk.com/Splexicon:Forwardinglicense

Question 16

Which splunkd.log component will log information about bad event breaking?

  • A. Audittrail
  • B. EventCrisis
  • C. Pipeline Indexing
  • D. AggregatorMiningProcessor

Correct Answer – D

Reference:
https://answers.splunk.com/answers/141721/error-in-splunkd-log-breaking-event-because-limit-of-256-has-been-exceeded.html

Question 17

Which Splunk server role governs the indexer cluster’s operation?

  • A. Indexer
  • B. Deployer
  • C. The Master Node
  • D. Monitoring Station

Correct Answer – C

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Deploy/Indexercluster

Question 18

The following error is displayed when adding or rejoining a member to a search head cluster:
Pulling configurations from the search head cluster captain failed; consider performing a destructive configuration resync on this member of the search head cluster.
What steps should be taken to correct the situation?

  • A. Restart the search engine.
  • B. From the deployer, execute the splunk apply shcluster-bundle command.
  • C. Execute the clean raft command on all search head cluster members.
  • D. On this member, run the splunk resync shcluster-replicated-config command.

Correct Answer – B

Question 19

To clear the KV store, which of the following commands is used?

  • A. splunk clean kvstore
  • B. splunk clear kvstore
  • C. splunk delete kvstore
  • D. splunk reinitialize kvstore

Correct Answer – A

Reference:
https://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

Question 20

In a Splunk environment with two indexers and one search head, indexing is slow and real-time search results are delayed. On the indexers, there is plenty of CPU and memory. Which of the following has the greatest chance of improving indexing performance?

  • A. In indexes.conf, increase the maximum number of hot buckets.
  • B. In server.conf, increase the number of parallel ingestion pipelines.
  • C. In limits.conf, reduce the maximum size of the search pipelines.
  • D. Reduce the maximum number of concurrent scheduled searches in limits.

Correct Answer – C

Menu