SPLK-2002 Free Practice Test

A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

1. A. The field was extracted as a private knowledge object.
2. B. The events are tagged as communicate, but are missing the network tag.
3. C. The Typing Queue, which does regular expression replacements, is blocked.
4. D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

Correct Answer: D

Which of the following are client filters available in serverclass.conf? (Select all that apply.)

1. A. DNS name.
2. B. IP address.
3. C. Splunk server role.
4. D. Platform (machine type).

Correct Answer: AB

Which of the following are true statements about Splunk indexer clustering?

1. A. All peer nodes must run exactly the same Splunk version.
2. B. The master node must run the same or a later Splunk version than search heads.
3. C. The peer nodes must run the same or a later Splunk version than the master node.
4. D. The search head must run the same or a later Splunk version than the peer nodes.

Correct Answer: B

Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

1. A. Install Enterprise Security on the deployer.
2. B. Install Enterprise Security on a staging instance.
3. C. Copy the Enterprise Security configurations to the deployer.
4. D. Use the deployer to deploy Enterprise Security to the cluster members.

Correct Answer: AD

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

1. A. Via Splunk Web.
2. B. Directly edit SPLUNK_HOME/etc/system/local/server.conf
3. C. Run a splunk edit cluster-config command from the CLI.
4. D. Directly edit SPLUNK_HOME/etc/system/default/server.conf

Correct Answer: AB