SPLK-2002 Splunk Enterprise Certified Architect Free Practice Exam Questions (2026 Updated)

The Search Job Inspector can be used to expand the following sections: Search job properties and Optimization suggestions. The Search Job Inspector is a tool that provides detailed information about a search job, such as the search parameters, the search statistics, the search timeline, and the search log. The Search Job Inspector can be accessed by clicking the Job menu in the Search bar and selecting Inspect Job. The Search Job Inspector has several sections that can be expanded or collapsed by clicking the arrow icon next to the section name. The Search job properties section shows the basic information about the search job, such as the SID, the status, the duration, the disk usage, and the scan count. The Optimization suggestions section shows the suggestions for improving the search performance, such as using transforming commands, filtering events, or reducing fields. The Execution costs and Saved search history sections are not part of the Search Job Inspector, and they cannot be expanded. The Execution costs section is part of the Search Dashboard, which shows the relative costs of each search component, such as commands, lookups, or subsearches. The Saved search history section is part of the Saved Searches page, which shows the history of the saved searches that have been run by the user or by a schedule

 Configurations from the deployer are merged into the SPLUNK_HOME/etc/apps/APP_HOME/local directory on the search head cluster member. The deployer distributes apps and other configurations to the search head cluster members in the form of a configuration bundle. The configuration bundle contains the contents of the SPLUNK_HOME/etc/shcluster/apps directory on the deployer. When a search head cluster member receives the configuration bundle, it merges the contents of the bundle into its own SPLUNK_HOME/etc/apps directory. The configurations in the local directory take precedence over the configurations in the default directory. The SPLUNK_HOME/etc/system/local directory is used for system-level configurations, not app-level configurations. The SPLUNK_HOME/etc/apps/search/default directory is used for the default configurations of the search app, not the configurations from the deployer.

The following logs are included in the _introspection index, which contains data that the Splunk Enterprise deployment logs for platform instrumentation:

disk_objects.log. This log contains information about the disk objects that Splunk creates and manages, such as buckets, indexes, and files. This log can help monitor the disk space usage and the bucket lifecycle.

resource_usage.log. This log contains information about the resource usage of Splunk processes, such as CPU, memory, disk, and network. This log can help monitor the Splunk performance and identify any resource bottlenecks. The following logs are not included in the _introspection index, but rather in the _internal index, which contains data that Splunk generates for internal logging:

audit.log. This log contains information about the audit events that Splunk records, such as user actions, configuration changes, and search activity. This log can help audit the Splunk operations and security.

metrics.log. This log contains information about the performance metrics that Splunk collects, such as data throughput, data latency, search concurrency, and search duration. This log can help measure the Splunk performance and efficiency. For more information, see About Splunk Enterprise logging and [About the _introspection index] in the Splunk documentation.

The Splunk server name of the member can typically be determined by the serverName attribute in the server.conf file, which is not explicitly shown in the provided snippet. However, based on the provided configuration snippet, we can infer that this search head cluster member is configured to communicate with a cluster master (master_uri) located at node1 and a management node (mgmt_uri) located at node3. The serverName is not the same as the master_uri or mgmt_uri; these URIs indicate the location of the master and management nodes that this member interacts with.

Since the serverName is not provided in the snippet, one would typically look for a setting under the [general] stanza in server.conf. However, given the options and the common naming conventions in a Splunk environment, node3 would be a reasonable guess for the server name of this member, since it is indicated as the management URI within the [shclustering] stanza, which suggests it might be the name or address of the server in question.

For accurate identification, you would need to access the full server.conf file or the Splunk Web on the search head cluster member and look under Settings > Server settings > General settings to find the actual serverName. Reference for these details would be found in the Splunk documentation regarding the configuration files, particularly server.conf.

According to Splunk’s Deployment Planning and Implementation Guidelines, one of the most critical elements of a Splunk deployment plan is a comprehensive data source inventory and current logging details. This information defines the scope of data ingestion and directly influences sizing, architecture design, and licensing.

A proper deployment plan should identify:

All data sources (such as syslogs, application logs, network devices, OS logs, databases, etc.)

Expected daily ingest volume per source

Log formats and sourcetypes

Retention requirements and compliance constraints

This data forms the foundation for index sizing, forwarder configuration, and storage planning. Without a well-defined data inventory, Splunk architects cannot accurately determine hardware capacity, indexing load, or network throughput requirements.

While stakeholder mapping, topology diagrams, and continuity plans (Options A, B, D) are valuable in a broader IT project, Splunk’s official guidance emphasizes logging details and source inventory as mandatory for a deployment plan. It ensures that the Splunk environment is properly sized, licensed, and aligned with business data visibility goals.

References (Splunk Enterprise Documentation):

• Splunk Enterprise Deployment Planning Manual – Data Source Inventory Requirements

• Capacity Planning for Indexer and Search Head Sizing

• Planning Data Onboarding and Ingestion Strategies

• Splunk Architecture and Implementation Best Practices

The splunk offline --enforce-counts command is the official and documented method used to gracefully decommission a search peer (indexer) from an indexer cluster in Splunk Enterprise. This command ensures that all replication and search factors are maintained before the peer is removed.

When executed, Splunk initiates a controlled shutdown process for the peer node. The Cluster Manager verifies that sufficient replicated copies of all bucket data exist across the remaining peers according to the configured replication_factor (RF) and search_factor (SF). The --enforce-counts flag specifically enforces that replication and search counts remain intact before the peer fully detaches from the cluster, ensuring no data loss or availability gap.

The sequence typically includes:

Validating cluster state and replication health.

Rolling off the peer’s data responsibilities to other peers.

Removing the peer from the active cluster membership list once replication is complete.

Other options like disablepeer, decommission, or remove cluster-peers are not valid Splunk commands. Therefore, the correct documented method is to use:

splunk offline --enforce-counts

References (Splunk Enterprise Documentation):

• Indexer Clustering: Decommissioning a Peer Node

• Managing Peer Nodes and Maintaining Data Availability

• Splunk CLI Command Reference – splunk offline

• Cluster Manager and Peer Maintenance Procedures

 In a four site indexer cluster, the configuration that stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies is site_search_factor = origin:2, site2:1, total:4. This configuration tells the cluster to maintain two copies of searchable data at the site where the data originates, one copy of searchable data at site2, and a total of four copies of searchable data across all sites. The site_search_factor determines how many copies of searchable data are maintained by the cluster for each site. The site_replication_factor determines how many copies of raw data are maintained by the cluster for each site. For more information, see Configure multisite indexer clusters with server.conf in the Splunk documentation.

This is the index that records changes to .conf files as of Splunk 9.0. According to the Splunk documentation1, the _configtracker index tracks the changes made to the configuration files on the Splunk platform, such as the files in the etc directory. The _configtracker index can help monitor and troubleshoot the configuration changes, and identify the source and time of the changes1. The other options are not indexes that record changes to .conf files. Option B, _introspection, is an index that records the performance metrics of the Splunk platform, such as CPU, memory, disk, and network usage2. Option C, _internal, is an index that records the internal logs and events of the Splunk platform, such as splunkd, metrics, and audit logs3. Option D, _audit, is an index that records the audit events of the Splunk platform, such as user authentication, authorization, and activity4. Therefore, option A is the correct answer, and options B, C, and D are incorrect.

1: About the _configtracker index 2: About the _introspection index 3: About the _internal index 4: About the _audit index

The captain is the search head cluster component that is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster. The captain is elected from among the search head cluster members and performs these tasks in addition to serving search requests. The master is the indexer cluster component that is responsible for managing the replication and availability of data across the peer nodes. The deployer is the standalone instance that is responsible for distributing apps and other configurations to the search head cluster members. The deployment server is the instance that is responsible for distributing apps and other configurations to the deployment clients, such as forwarders

According to the Splunk documentation1, a bucket within a clustered index contains two key types of files: the raw data in compressed form (rawdata) and the indexes that point to the raw data (tsidx files). A bucket can be either replicated or searchable, depending on whether it has both types of files or only the rawdata file. A replicated bucket is a bucket that has been copied from one peer node to another for the purpose of data replication. A searchable bucket is a bucket that has both the rawdata and the tsidx files, and can be searched by the search heads. The types of files that exist in a bucket within a clustered index are:

Inside a searchable bucket, there is tsidx and rawdata. This is true because a searchable bucket contains both the data and the index files, and can be searched by the search heads1.

Inside a replicated bucket, there is both tsidx and rawdata. This is true because a replicated bucket can also be a searchable bucket, if it has both the data and the index files. However, not all replicated buckets are searchable, as some of them might only have the rawdata file, depending on the replication factor and the search factor settings1.

The other options are false because:

Inside a replicated bucket, there is only rawdata. This is false because a replicated bucket can also have the tsidx file, if it is a searchable bucket. A replicated bucket only has the rawdata file if it is a non-searchable bucket, which means that it cannot be searched by the search heads until it gets the tsidx file from another peer node1.

Inside a searchable bucket, there is only tsidx. This is false because a searchable bucket always has both the tsidx and the rawdata files, as they are both required for searching the data. A searchable bucket cannot exist without the rawdata file, as it contains the actual data that the tsidx file points to1.

 The following artifacts are included in a Splunk diag file:

Server specs. These are the specifications of the server that Splunk runs on, such as the CPU model, the memory size, the disk space, and the network interface. These specs can help understand the Splunk hardware requirements and performance.

Current open connections. These are the connections that Splunk has established with other Splunk instances or external sources, such as forwarders, indexers, search heads, license masters, deployment servers, and data inputs. These connections can help understand the Splunk network topology and communication.

Internal Splunk log files. These are the log files that Splunk generates to record its own activities, such as splunkd.log, metrics.log, audit.log, and others. These logs can help troubleshoot Splunk issues and monitor Splunk performance.

Index listings. These are the listings of the indexes that Splunk has created and configured, such as the index name, the index location, the index size, and the index attributes. These listings can help understand the Splunk data management and retention. The following artifacts are not included in a Splunk diag file:

Search history. This is the history of the searches that Splunk has executed, such as the search query, the search time, the search results, and the search user. This history is not part of the Splunk diag file, but it can be accessed from the Splunk Web interface or the audit.log file.

Splunk users and their roles. These are the users that Splunk has created and assigned roles to, such as the user name, the user password, the user role, and the user capabilities. These users and roles are not part of the Splunk diag file, but they can be accessed from the Splunk Web interface or the authentication.conf and authorize.conf files.

KV store listings. These are the listings of the KV store collections and documents that Splunk has created and stored, such as the collection name, the collection schema, the document ID, and the document fields. These listings are not part of the Splunk diag file, but they can be accessed from the Splunk Web interface or the mongod.log file.

Indexed data. These are the data that Splunk indexes and makes searchable, such as the rawdata and the tsidx files. These data are not part of the Splunk diag file, as they may contain sensitive or confidential information. For more information, see Generate a diagnostic snapshot of your Splunk Enterprise deployment in the Splunk documentation.

 The index-time props.conf attributes that impact indexing performance are LINE_BREAKER and SHOULD_LINEMERGE. These attributes determine how Splunk breaks the incoming data into events and whether it merges multiple events into one. These operations can affect the indexing speed and the disk space consumption. The REPORT attribute does not impact indexing performance, as it is used to apply transforms at search time. The ANNOTATE_PUNCT attribute does not impact indexing performance, as it is used to add punctuation metadata to events at search time. For more information, see [About props.conf and transforms.conf] in the Splunk documentation.

The correct answer is C. Increase the parallellngestionPipelines attribute. This is an option in limits.conf that may provide performance benefits at the forwarding tier, as it allows the forwarder to process multiple data inputs in parallel1. The parallellngestionPipelines attribute specifies the number of pipelines that the forwarder can use to ingest data from different sources1. By increasing this value, the forwarder can improve its throughput and reduce the latency of data delivery1. The other options are not effective options to provide performance benefits at the forwarding tier. Option A, enabling the indexed_realtime_use_by_default attribute, is not recommended, as it enables the forwarder to send data to the indexer as soon as it is received, which may increase the network and CPU load and degrade the performance2. Option B, increasing the maxKBps attribute, is not a good option, as it increases the maximum bandwidth, in kilobytes per second, that the forwarder can use to send data to the indexer3. This may improve the data transfer speed, but it may also saturate the network and cause congestion and packet loss3. Option D, increasing the max_searches_per_cpu attribute, is not relevant, as it only affects the search performance on the indexer or search head, not the forwarding performance on the forwarder4. Therefore, option C is the correct answer, and options A, B, and D are incorrect.

1: Configure parallel ingestion pipelines 2: Configure real-time forwarding 3: Configure forwarder output 4: Configure search performance

The minimum reference server specification for a Splunk indexer is 12 CPU cores, 12GB RAM, and 800 IOPS. This specification is based on the assumption that the indexer will handle an average indexing volume of 100GB per day, with a peak of 300GB per day, and a typical search load of 1 concurrent search per 1GB of indexing volume. The other specifications are either higher or lower than the minimum requirement. For more information, see [Reference hardware] in the Splunk documentation.

According to the Splunk documentation1, increasing the current deployment client phone home interval can minimize performance issues by reducing the frequency of communication between the clients and the deployment server. This can also reduce the network traffic and the load on the deployment server. The other options are false because:

Modifying deploymentclient.conf to change from a Pull to Push mechanism is not possible, as Splunk does not support a Push mechanism for deployment server2.

Reducing the number of apps in the Manager Node repository will not affect the performance of the deployment server, as the apps are only downloaded when there is a change in the configuration or a new app is added3.

Decreasing the current deployment client phone home interval will increase the performance issues, as it will increase the frequency of communication between the clients and the deployment server, resulting in more network traffic and load on the deployment server1.

The index=_internal component=DC* host= search will show all deployment client messages from the universal forwarder. The component field indicates the type of Splunk component that generated the message, and the host field indicates the host name of the machine that sent the message. The index=_audit component=DC* host= search will not return any results, because the deployment client messages are not stored in the _audit index. The index=_internal component=DS* host= search will show the deployment server messages from the deployment server, not the client. The index=_audit component=DS* host= search will also not return any results, for the same reason as above

Primary rebalancing automatically occurs when a rolling restart completes, a master node rejoins the cluster, or a peer node joins or rejoins the cluster. These events can cause the distribution of primary buckets to become unbalanced, so the master node will initiate a rebalancing process to ensure that each peer node has roughly the same number of primary buckets. Primary rebalancing does not occur when a captain joins or rejoins the cluster, because the captain is a search head cluster component, not an indexer cluster component. The captain is responsible for search head clustering, not indexer clustering

Data Model acceleration is a feature that enables faster searches over large data sets by summarizing the raw data into a more efficient format. Data Model acceleration consumes additional disk space, as it stores both the raw data and the summarized data. The amount of disk space required depends on the size and complexity of the Data Model, the retention period of the summarized data, and the compression ratio of the data. According to the Splunk Enterprise Security Planning and Installation Manual, Data Model acceleration is one of the factors that strongly impacts storage sizing requirements for Enterprise Security. The other factors are the volume and type of data sources, the retention policy of the data, and the replication factor and search factor of the index cluster. The number of scheduled (correlation) searches, the number of Splunk users configured, and the number of source types used in the environment are not directly related to storage sizing requirements for Enterprise Security1

1: https://docs.splunk.com/Documentation/ES/6.6.0/Install/Plan#Storage_sizing_requirements

According to Splunk Enterprise administrative documentation, the btool utility is used to troubleshoot configuration settings by merging and displaying effective configurations from all configuration files (system, app, and local levels). When diagnosing license master configuration issues on a search peer or any cluster node, Splunk recommends using the command that specifically lists the license-related stanzas from server.conf.

The correct command is:

splunk cmd btool server list license --debug

This command reveals all configuration parameters under the [license] stanza, including those related to license master connections such as master_uri, pass4SymmKey, and disabled flags. The --debug flag ensures full path tracing of each configuration file, making it easy to identify conflicting or missing parameters that cause communication or validation errors between a search peer and the license master.

Other commands listed, such as btool server list clustering, are meant for diagnosing cluster configuration issues (like replication or search factors), not licensing. The check --debug command only validates syntax and structure, not specific configuration errors tied to licensing. Therefore, the correct and Splunk-documented method for diagnosing license configuration problems on a search peer is to inspect the license stanza using the btool server list license --debug command.

References (Splunk Enterprise Documentation):

• btool Command Reference – Troubleshooting Configuration Issues

• server.conf – License Configuration Parameters

• Managing Distributed License Configurations in Search Peer Clusters

• Troubleshooting License Master and Peer Connectivity