• ホーム
  • ブログ
  • 2023年最新の100%無料SPLK-2002日常練習試験には92問があります [Q41-Q65]

2023年最新の100%無料SPLK-2002日常練習試験には92問があります [Q41-Q65]

Share

2023年最新の100%無料SPLK-2002日常練習試験には92問があります

SPLK-2002試験資料Splunk学習ガイド


SPLK-2002試験は、複雑なSplunk環境の設計と実装における知識とスキルを証明したい経験豊富なSplunk Architectのために設計されています。アーキテクチャの設計、容量計画、分散展開、セキュリティなどのトピックをカバーしています。この試験では、候補者がSplunkの展開をトラブルシューティングして最適化する能力についてもテストします。

 

質問 # 41
What is a Splunk Job? (Select all that apply.)

  • A. A search process kicked off via a report or an alert.
  • B. A child OS process manifested from the splunkd process.
  • C. A user-defined Splunk capability.
  • D. Searches that are subjected to some usage quota.

正解:C


質問 # 42
Which server.conf attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster?

  • A. available_sites
  • B. site_replication_factor
  • C. site_mappings
  • D. site_search_factor

正解:C

解説:
Explanation
The site_mappings attribute should be added to the master node's server.conf file when decommissioning a site in an indexer cluster. The site_mappings attribute is used to specify how the master node should reassign the buckets from the decommissioned site to the remaining sites. The site_mappings attribute is a comma-separated list of site pairs, where the first site is the decommissioned site and the second site is the destination site. For example, site_mappings = site1:site2,site3:site4 means that the buckets from site1 will be moved to site2, and the buckets from site3 will be moved to site4. The available_sites attribute is used to specify which sites are currently available in the cluster, and it is automatically updated by the master node. The site_search_factor and site_replication_factor attributes are used to specify the number of searchable and replicated copies of each bucket for each site, and they are not affected by the decommissioning process


質問 # 43
When Splunk is installed, where are the internal indexes stored by default?

  • A. SPLUNK_HOME/var/run
  • B. SPLUNK_HOME/bin
  • C. SPLUNK_HOME/etc/system/default
  • D. SPLUNK_HOME/var/lib

正解:D

解説:
Explanation
Splunk internal indexes are the indexes that store Splunk's own data, such as internal logs, metrics, audit events, and configuration snapshots. By default, Splunk internal indexes are stored in the SPLUNK_HOME/var/lib/splunk directory, along with other user-defined indexes. The SPLUNK_HOME/bin directory contains the Splunk executable files and scripts. The SPLUNK_HOME/var/run directory contains the Splunk process ID files and lock files. The SPLUNK_HOME/etc/system/default directory contains the default Splunk configuration files.


質問 # 44
When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

  • A. Auto
  • B. True
  • C. False
  • D. None

正解:C

解説:
Explanation
When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to false. This tells Splunk not to merge events that have been broken by the LINE_BREAKER. Setting the SHOULD_LINEMERGE attribute to true, auto, or none will cause Splunk to ignore the LINE_BREAKER and merge events based on other criteria. For more information, see Configure event line breaking in the Splunk documentation.


質問 # 45
Which of the following is a way to exclude search artifacts when creating a diag?

  • A. SPLUNK_HOME/bin/splunk diag --exclude
  • B. SPLUNK_HOME/bin/splunk diag --debug --refresh
  • C. SPLUNK_HOME/bin/splunk diag --disable=dispatch
  • D. SPLUNK_HOME/bin/splunk diag --filter-searchstrings

正解:A

解説:
Explanation
The splunk diag --exclude command is a way to exclude search artifacts when creating a diag. A diag is a diagnostic snapshot of a Splunk instance that contains various logs, configurations, and other information.
Search artifacts are temporary files that are generated by search jobs and stored in the dispatch directory.
Search artifacts can be excluded from the diag by using the --exclude option and specifying the dispatch directory. The splunk diag --debug --refresh command is a way to create a diag with debug logging enabled and refresh the diag if it already exists. The splunk diag --disable=dispatch command is not a valid command, because the --disable option does not exist. The splunk diag --filter-searchstrings command is a way to filter out sensitive information from the search strings in the diag


質問 # 46
A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web source. Further investigation reveals that not all weblogs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department.
Which of the following items might be the cause of this issue?

  • A. The search head may have different configurations than the indexers.
  • B. The data inputs are not properly configured across all the forwarders.
  • C. The forwarders managed by the other department are an older version than the rest.
  • D. The indexers may have different configurations than the heavy forwarders.

正解:D

解説:
Explanation
The indexers may have different configurations than the heavy forwarders, which might cause the issue of inconsistently formatted events for a web sourcetype. The heavy forwarders perform parsing and indexing on the data before sending it to the indexers. If the indexers have different configurations than the heavy forwarders, such as different props.conf or transforms.conf settings, the data may be parsed or indexed differently on the indexers, resulting in inconsistent events. The search head configurations do not affect the event formatting, as the search head does not parse or index the data. The data inputs configurations on the forwarders do not affect the event formatting, as the data inputs only determine what data to collect and how to monitor it. The forwarder version does not affect the event formatting, as long as the forwarder is compatible with the indexer. For more information, see [Heavy forwarder versus indexer] and [Configure event processing] in the Splunk documentation.


質問 # 47
Which Splunk internal index contains license-related events?

  • A. _internal
  • B. _audit
  • C. _license
  • D. _introspection

正解:A


質問 # 48
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

  • A. Use case checklist.
  • B. Inventory data sources.
  • C. Review network topology.
  • D. Install Splunk apps.

正解:C

解説:
Explanation


質問 # 49
A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

  • A. splunk add cluster-config
  • B. splunk add cluster-master
  • C. splunk edit cluster-master
  • D. splunk edit cluster-config

正解:B

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Configuremulti-clustersearch


質問 # 50
Which search will show all deployment client messages from the client (UF)?

  • A. index=_audit component=DC* host=<ds> | stats count by message
  • B. index=_internal component= DC* host=<uf> | stats count by message
  • C. index=_audit component=DC* host=<uf> | stats count by message
  • D. index=_internal component=DS* host=<ds> | stats count by message

正解:B

解説:
Explanation
The index=_internal component=DC* host=<uf> search will show all deployment client messages from the universal forwarder. The component field indicates the type of Splunk component that generated the message, and the host field indicates the host name of the machine that sent the message. The index=_audit component=DC* host=<uf> search will not return any results, because the deployment client messages are not stored in the _audit index. The index=_internal component=DS* host=<ds> search will show the deployment server messages from the deployment server, not the client. The index=_audit component=DS* host=<ds> search will also not return any results, for the same reason as above


質問 # 51
Splunk configuration parameter settings can differ between multiple .conf files of the same name contained within different apps. Which of the following directories has the highest precedence?

  • A. App default directories, in ASCII order.
  • B. System default directory.
  • C. System local directory.
  • D. App local directories, in ASCII order.

正解:C

解説:
Explanation
The system local directory has the highest precedence among the following directories that contain Splunk configuration files of the same name within different apps. Splunk configuration files are stored in various directories under the SPLUNK_HOME/etc directory. The precedence of these directories determines which configuration file settings take effect when there are conflicts or overlaps. The system local directory, which is located at SPLUNK_HOME/etc/system/local, has the highest precedence among all directories, because it contains the system-level configurations that are specific to the instance. The system default directory, which is located at SPLUNK_HOME/etc/system/default, has the lowest precedence among all directories, because it contains the system-level configurations that are provided by Splunk and should not be modified. The app local directories, which are located at SPLUNK_HOME/etc/apps/APP_NAME/local, have a higher precedence than the app default directories, which are located at SPLUNK_HOME/etc/apps/APP_NAME/default, because the local directories contain the app-level configurations that are specific to the instance, while the default directories contain the app-level configurations that are provided by the app and should not be modified. The app local and default directories have different precedences depending on the ASCII order of the app names, with the app names that come later in the ASCII order having higher precedences.


質問 # 52
In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

  • A. Run the splunk transfer shcluster-captain command from the member you would like to become the captain.
  • B. Use the Search Head Clustering settings menu from Splunk Web on any member.
  • C. Run the splunk transfer shcluster-captain command from the current captain.
  • D. Use the Monitoring Console.

正解:A、B

解説:
Explanation
In search head clustering, there are two methods to transfer captaincy to a different member. One method is to use the Search Head Clustering settings menu from Splunk Web on any member. This method allows the user to select a specific member to become the new captain, or to let Splunk choose the best candidate. The other method is to run the splunk transfer shcluster-captain command from the member that the user wants to become the new captain. This method requires the user to know the name of the target member and to have access to the CLI of that member. Using the Monitoring Console is not a method to transfer captaincy, because the Monitoring Console does not have the option to change the captain. Running the splunk transfer shcluster-captain command from the current captain is not a method to transfer captaincy, because this command will fail with an error message


質問 # 53
Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

  • A. Synchronizes the member list with the KV store primary.
  • B. Manages alert action suppressions (throttling).
  • C. Replicates the SHC's knowledge bundle to the search peers.
  • D. Is the job scheduler for the entire SHC.

正解:C、D

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/ SHCarchitecture#role_of_the_captain


質問 # 54
When troubleshooting monitor inputs, which command checks the status of the tailed files?

  • A. splunk cmd btool check inputs layer
  • B. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus
  • C. curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
  • D. splunk cmd btool inputs list | tail

正解:C


質問 # 55
Which of the following are true statements about Splunk indexer clustering?

  • A. The master node must run the same or a later Splunk version than search heads.
  • B. The search head must run the same or a later Splunk version than the peer nodes.
  • C. The peer nodes must run the same or a later Splunk version than the master node.
  • D. All peer nodes must run exactly the same Splunk version.

正解:D

解説:
Explanation
https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/Distsearchsystemrequirements


質問 # 56
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

  • A. Use case checklist.
  • B. Inventory data sources.
  • C. Review network topology.
  • D. Install Splunk apps.

正解:C


質問 # 57
The frequency in which a deployment client contacts the deployment server is controlled by what?

  • A. phoneHomeIntervalInSecs attribute in outputs.conf
  • B. polling_interval attribute in outputs.conf
  • C. phoneHomeIntervalInSecs attribute in deploymentclient.conf
  • D. polling_interval attribute in deploymentclient.conf

正解:C


質問 # 58
Which of the following is a good practice for a search head cluster deployer?

  • A. The deployer must distribute configurations to search head cluster members to be valid configurations.
  • B. The deployer only distributes configurations to search head cluster members when they "phone home".
  • C. The deployer must be used to distribute non-replicable configurations to search head cluster members.
  • D. The deployer only distributes configurations to search head cluster members with splunk apply
    shcluster-bundle.

正解:B


質問 # 59
A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

  • A. Create a job server on the cluster.
  • B. Change limits.conf value for max_searches_per_cpu to a higher value.
  • C. Add another search head to the cluster.
  • D. server.conf captain_is_adhoc_searchhead = true.

正解:B


質問 # 60
Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

  • A. Use the deployer to deploy Enterprise Security to the cluster members.
  • B. Install Enterprise Security on a staging instance.
  • C. Install Enterprise Security on the deployer.
  • D. Copy the Enterprise Security configurations to the deployer.

正解:A、C


質問 # 61
Which of the following describe migration from single-site to multisite index replication?

  • A. Single-site buckets instantly receive the multisite policies.
  • B. Multisite policies apply to new data only.
  • C. A master node is required at each site.
  • D. Multisite total values should not exceed any single-site factors.

正解:D

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Migratetomultisite


質問 # 62
What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

  • A. Distributes apps to SHC members.
  • B. Distributes non-search related and manual configuration file changes.
  • C. Distributes runtime knowledge object changes made by users across the SHC.
  • D. Bootstraps a clean Splunk install for a SHC.

正解:A、B


質問 # 63
Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

  • A. Enable NFS for storing hot and warm buckets.
  • B. High performance SAN should never be used.
  • C. The recommended RAID setup is RAID 10 (1 + 0).
  • D. Virtualized environments are usually preferred over bare metal for Splunk indexers.

正解:C

解説:
Explanation/Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-deploying-vmware-tech-brief.pdf


質問 # 64
A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

  • A. Directly edit SPLUNK_HOME/etc/system/local/server.conf
  • B. Via Splunk Web.
  • C. Directly edit SPLUNK_HOME/etc/system/default/server.conf
  • D. Run a splunk edit cluster-configcommand from the CLI.

正解:A、B

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Enableclustersindetail


質問 # 65
......

有効な問題最新版を試そうSPLK-2002テスト解釈SPLK-2002有効な試験ガイド:https://www.goshiken.com/Splunk/SPLK-2002-mondaishu.html

SPLK-2002実際の問題解答PDFは100%カバー率でリアル試験問題:https://drive.google.com/open?id=1iGg-scEl5m9WjUn6CbSJMaqGxIAKah0w

関するブログ

もっと
SPLK-2002無料問題集