SPLK-2002 Splunk Enterprise Certified Architect Free Practice Exam Questions (2026 Updated)

Splunk Enterprise officially requires a minimum of three search heads and one deployer for a supported Search Head Cluster (SHC) configuration. This ensures both high availability and data consistency within the cluster.

The Splunk documentation explains that a search head cluster uses RAFT-based consensus to elect a captain responsible for managing configuration replication, scheduling, and user workload distribution. The RAFT protocol requires a quorum of members to maintain consistency. In practical terms, this means a minimum of three members (search heads) to achieve fault tolerance — allowing one member to fail while maintaining operational stability.

The deployer is a separate Splunk instance responsible for distributing configuration bundles (apps, settings, and user configurations) to all members of the search head cluster. The deployer is not part of the SHC itself but is mandatory for its proper management.

Running with fewer than three search heads or replacing the deployer with a Deployment Server (as in Options B, C, or D) is unsupported and violates Splunk best practices for SHC resiliency and management.

References (Splunk Enterprise Documentation):

• Search Head Clustering Overview – Minimum Supported Architecture

• Deploy and Configure the Deployer for a Search Head Cluster

• High Availability and Fault Tolerance with RAFT in SHC

According to the Splunk Search Job Inspector documentation, the search.log file for a completed search job can be accessed through Splunk Web by navigating to the job’s detailed inspection view.

To access it:

Open the completed search in Splunk Web.

Click the Job menu (top right of the search interface).

Select Inspect Job.

In the Job Inspector window, click the search.log link.

This log provides in-depth diagnostic details about how the search was parsed, distributed, and executed across the search head and indexers. It contains valuable performance metrics, command execution order, event sampling information, and any error or warning messages encountered during search processing.

The search.log file is generated for every search job—scheduled, ad-hoc, or background—and is stored in the job’s dispatch directory ($SPLUNK_HOME/var/run/splunk/dispatch//).

Other listed options are incorrect:

Option A queries the _internal index, which does not store per-search logs.

Option B is used to view search configurations, not logs.

Option C is not a valid Splunk Web navigation option.

Thus, the only correct and Splunk-documented method is via Job → Inspect Job → search.log.

References (Splunk Enterprise Documentation):

• Search Job Inspector Overview and Usage

• Analyzing Search Performance Using search.log

• Search Job Management and Dispatch Directory Structure

• Splunk Enterprise Admin Manual – Troubleshooting Searches

Of the following types of files within an index bucket, the rawdata file type may consume the most disk. The rawdata file type contains the compressed and encrypted raw data that Splunk has ingested. The rawdata file type is usually the largest file type in a bucket, because it stores the original data without any filtering or extraction. The bloom filter file type contains a probabilistic data structure that is used to determine if a bucket contains events that match a given search. The bloom filter file type is usually very small, because it only stores a bit array of hashes. The metadata (.data) file type contains information about the bucket properties, such as the earliest and latest event timestamps, the number of events, and the size of the bucket. The metadata file type is also usually very small, because it only stores a few lines of text. The inverted index (.tsidx) file type contains the time-series index that maps the timestamps and event IDs of the raw data. The inverted index file type can vary in size depending on the number and frequency of events, but it is usually smaller than the rawdata file type

The correct answer is C. 100 GB per day. This is the expected minimum amount of storage required for data across an indexer cluster with the given input and parameters. The storage requirement can be calculated by adding the raw data size and the index files size, and then multiplying by the Replication Factor and the Search Factor1. In this case, the calculation is:

(15 GB + 35 GB) x 2 x 2 = 100 GB

The Replication Factor is the number of copies of each bucket that the cluster maintains across the set of peer nodes2. The Search Factor is the number of searchable copies of each bucket that the cluster maintains across the set of peer nodes3. Both factors affect the storage requirement, as they determine how many copies of the data are stored and searchable on the indexers. The other options are not correct, as they do not match the result of the calculation. Therefore, option C is the correct answer, and options A, B, and D are incorrect.

1: Estimate storage requirements 2: About indexer clusters and index replication 3: Configure the search factor

The walklex command in Splunk is a specialized administrative search command used to translate and display LISPY (Splunk’s internal representation of search terms). LISPY is the logical search syntax Splunk uses to parse and execute search queries, and examining it helps administrators and developers debug search optimization, field extraction behavior, and index-time search efficiency.

When you run the command | walklex search="your_search_string", Splunk outputs how it tokenizes and interprets that query internally. This is particularly useful for understanding how Splunk’s search language maps to index-time fields and for diagnosing performance issues caused by inefficient search term parsing.

For example:

| walklex search="error OR failure host=server01"

Displays the corresponding LISPY translation used by Splunk’s search subsystem.

Other options are unrelated:

dbinspect provides index bucket metadata.

Monitoring Console shows performance metrics and health status.

Search Job Inspector analyzes search execution phases but doesn’t expose LISPY.

Thus, the correct and Splunk-documented tool for LISPY inspection is the walklex command.

References (Splunk Enterprise Documentation):

• walklex Command Reference – LISPY and Search Debugging

• Understanding Search Language Parsing in Splunk

• Search Internals: How Splunk Interprets Queries

• Splunk Search Performance Troubleshooting Tools

According to the Splunk Enterprise User Authentication and Authorization Guide, effective user management during deployment planning involves identifying how users will authenticate (native, LDAP, or SAML) and defining what roles and capabilities they will need to perform their tasks.

However, counting or analyzing the number of users who appear in Splunk log events (Option C) is not part of user management planning. This metric relates to audit and monitoring, not access provisioning or role assignment.

A proper user management plan should address:

Authentication method selection (native, LDAP, or SAML).

User mapping and provisioning workflows from existing identity stores.

Role-based access control (RBAC) — assigning users appropriate permissions via Splunk roles and capabilities.

Administrative governance — ensuring access policies align with compliance requirements.

Determining the number of users visible in log events provides no operational value when planning Splunk authentication or authorization architecture. Therefore, this task can be safely disregarded during initial planning.

References (Splunk Enterprise Documentation):

• User Authentication and Authorization in Splunk Enterprise

• Configuring LDAP and SAML Authentication

• Managing Users, Roles, and Capabilities

• Splunk Deployment Planning Manual – Security and Access Control Planning

The system local directory has the highest precedence among the following directories that contain Splunk configuration files of the same name within different apps. Splunk configuration files are stored in various directories under the SPLUNK_HOME/etc directory. The precedence of these directories determines which configuration file settings take effect when there are conflicts or overlaps. The system local directory, which is located at SPLUNK_HOME/etc/system/local, has the highest precedence among all directories, because it contains the system-level configurations that are specific to the instance. The system default directory, which is located at SPLUNK_HOME/etc/system/default, has the lowest precedence among all directories, because it contains the system-level configurations that are provided by Splunk and should not be modified. The app local directories, which are located at SPLUNK_HOME/etc/apps/APP_NAME/local, have a higher precedence than the app default directories, which are located at SPLUNK_HOME/etc/apps/APP_NAME/default, because the local directories contain the app-level configurations that are specific to the instance, while the default directories contain the app-level configurations that are provided by the app and should not be modified. The app local and default directories have different precedences depending on the ASCII order of the app names, with the app names that come later in the ASCII order having higher precedences.

Splunk Enterprise documentation clearly states that the best method to secure log traffic between Universal Forwarders (UFs) and Indexers is to implement Transport Layer Security (TLS) using signed SSL certificates. When Universal Forwarders send data to Indexers, this communication can be encrypted using SSL/TLS to prevent eavesdropping, data tampering, or interception while in transit.

Splunk provides default self-signed certificates out of the box, but these are only for testing or lab environments and should not be used in production. Production-grade security requires custom, signed SSL certificates — either from an internal Certificate Authority (CA) or a trusted public CA. These certificates validate both the sender (forwarder) and receiver (indexer), ensuring data integrity and authenticity.

In practice, this involves:

Generating or obtaining CA-signed certificates.

Configuring the forwarder’s outputs.conf to use SSL encryption (sslCertPath, sslPassword, and sslRootCAPath).

Configuring the indexer’s inputs.conf and server.conf to require and validate client certificates.

This configuration ensures end-to-end encryption for all log data transmitted from forwarders to indexers.

Routing traffic through a WAF (Option C) does not provide end-to-end encryption for Splunk’s internal communication, and securing search head–to–indexer communication (Option D) is unrelated to forwarder data flow.

References (Splunk Enterprise Documentation):

• Securing Splunk Enterprise: Encrypting Data in Transit Using SSL/TLS

• Configure Forwarder-to-Indexer Encryption

• Server and Forwarder Authentication with Signed Certificates

• Best Practices for Forwarder Management and Security Configuration

In the deployment planning process, a person should identify who gets to see network data in the data policy definition step. This step involves defining the data access policies and permissions for different users and roles in Splunk. The deployment schedule step involves defining the timeline and milestones for the deployment project. The topology diagramming step involves creating a visual representation of the Splunk architecture and components. The data source inventory step involves identifying and documenting the data sources and types that will be ingested by Splunk

The correct Splunk deployment to have the recommended minimum components for a high-availability search head cluster is 3 search heads, 1 deployer, 3 indexers. This configuration ensures that the search head cluster has at least three members, which is the minimum number required for a quorum and failover1. The deployer is a separate instance that manages the configuration updates for the search head cluster2. The indexers are the nodes that store and index the data, and having at least three of them provides redundancy and load balancing3. The other options are not recommended, as they either have less than three search heads or less than three indexers, which reduces the availability and reliability of the cluster. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: About search head clusters 2: Use the deployer to distribute apps and configuration updates 3: About indexer clusters and index replication

The splunk validate cluster-bundle --check-restart command is the officially documented Splunk Enterprise method to determine if a configuration bundle push will trigger a rolling restart within an indexer cluster.

When configuration changes are made on the Cluster Manager (Master Node)—for example, updates to indexes.conf, props.conf, or transforms.conf—Splunk administrators must validate the bundle before pushing it to all peer nodes. Using this command allows the Cluster Manager to simulate the deployment and verify whether the configuration modifications necessitate a restart across peer indexers to take effect.

The --check-restart flag specifically reports whether:

The configuration changes are minor (no restart required).

The changes affect components that require a full or rolling restart (e.g., changes to indexing paths, volume definitions, or replication factors).

Running this validation prior to an actual splunk apply cluster-bundle command prevents service disruption during production operations.

Other commands such as splunk show cluster-bundle-status display deployment status but not restart requirements, and splunk apply cluster-bundle executes the actual deployment, not validation.

References (Splunk Enterprise Documentation):

• Indexer Clustering: Deploy Configuration Bundles with Validation

• splunk validate cluster-bundle Command Reference

• Managing Indexer Clusters – Rolling Restarts and Bundle Deployment Best Practices

• Splunk Enterprise Admin Manual – Cluster Manager Maintenance Commands

According to the Splunk documentation1, when migrating an indexer cluster from single-site to multi-site, you must remove the existing single-site attributes from the server.conf file of each peer node. These attributes include replication_factor, search_factor, and cluster_label. You must also restart each peer node after removing the attributes. The other options are false because:

Multi-site policies will apply only to the data created after migration, unless you configure the manager node to convert legacy buckets to multi-site1.

All peer nodes do not need to run the same version of Splunk, as long as they are compatible with the manager node2.

Single-site buckets can be converted to multi-site buckets by changing the constrain_singlesite_buckets setting in the manager node’s server.conf file to "false"1.

Splunk configuration files are files that contain settings that control various aspects of Splunk behavior, such as data inputs, outputs, indexing, searching, clustering, and so on1. Troubleshooting Splunk configuration files involves identifying and resolving issues that affect the functionality or performance of Splunk due to incorrect or conflicting configuration settings. Some of the tools and methods that can help with troubleshooting Splunk configuration files are:

search.log: This is a file that contains detailed information about the execution of a search, such as the search pipeline, the search commands, the search results, the search errors, and the search performance2. This file can help troubleshoot issues related to search configuration, such as props.conf, transforms.conf, macros.conf, and so on3.

btool output: This is a command-line tool that displays the effective configuration settings for a given Splunk component, such as inputs, outputs, indexes, props, and so on4. This tool can help troubleshoot issues related to configuration precedence, inheritance, and merging, as well as identify the source of a configuration setting5.

diagnostic logs: These are files that contain information about the Splunk system, such as the Splunk version, the operating system, the hardware, the license, the indexes, the apps, the users, the roles, the permissions, the configuration files, the log files, and the metrics6. These files can help troubleshoot issues related to Splunk installation, deployment, performance, and health7.

Option A is the correct answer because crash logs are the least helpful in troubleshooting Splunk configuration files. Crash logs are files that contain information about the Splunk process when it crashes, such as the stack trace, the memory dump, and the environment variables8. These files can help troubleshoot issues related to Splunk stability, reliability, and security, but not necessarily related to Splunk configuration9.

The Splunk Enterprise Security and Encryption documentation specifies that the primary mechanism for securing data in motion within a Splunk environment is to enable TLS/SSL encryption between forwarders and indexers. This ensures that log data transmitted from Universal Forwarders or Heavy Forwarders to Indexers is fully encrypted and protected from interception or tampering.

The correct configuration involves setting up signed SSL certificates on both forwarders and indexers:

On the forwarder, TLS settings are defined in outputs.conf, specifying parameters like sslCertPath, sslPassword, and sslRootCAPath.

On the indexer, TLS is enabled in inputs.conf and server.conf using the same shared CA for validation.

Splunk’s documentation explicitly states that this configuration protects data-in-transit between the collection (forwarder) and indexing (storage) tiers — which is the critical link where sensitive log data is most vulnerable.

Other communication channels (e.g., deployment server to clients or browser to Splunk Web) can also use encryption but do not secure the ingestion pipeline that handles the indexed data stream. Therefore, TLS should be implemented between Splunk forwarders and indexers.

References (Splunk Enterprise Documentation):

• Securing Data in Transit with SSL/TLS

• Configure Forwarder-to-Indexer Encryption Using SSL Certificates

• Server and Forwarder Authentication Setup Guide

• Splunk Enterprise Admin Manual – Security and Encryption Best Practices

In the context of splunkd.log events written to the _internal index, the field that identifies the specific log channel is the "channel" field. This information is confirmed by the Splunk Common Information Model (CIM) documentation, where "channel" is listed as a field name associated with Splunk Audit Logs​​.

The default interval at which metrics.log generates a periodic report regarding license utilization is 60 seconds. This report contains information about the license usage and quota for each Splunk instance, as well as the license pool and stack. The report is generated every 60 seconds by default, but this interval can be changed by modifying the license_usage stanza in the metrics.conf file. The other intervals (10 seconds, 30 seconds, and 300 seconds) are not the default values, but they can be set by the administrator if needed. For more information, see About metrics.log and Configure metrics.log in the Splunk documentation.

A dedicated deployment server is a Splunk instance that manages the distribution of configuration updates and apps to a set of deployment clients, such as forwarders, indexers, or search heads. A dedicated deployment server should be used when there are more than 50 deployment clients, because this number exceeds the recommended limit for a non-dedicated deployment server. A non-dedicated deployment server is a Splunk instance that also performs other roles, such as indexing or searching. Using a dedicated deployment server can improve the performance, scalability, and reliability of the deployment process. Option C is the correct answer. Option A is incorrect because the number of search peers does not affect the need for a dedicated deployment server. Search peers are indexers that participate in a distributed search. Option B is incorrect because the number of apps to deploy does not affect the need for a dedicated deployment server. Apps are packages of configurations and assets that provide specific functionality or views in Splunk. Option D is incorrect because the number of server classes does not affect the need for a dedicated deployment server. Server classes are logical groups of deployment clients that share the same configuration updates and apps12

1: https://docs.splunk.com/Documentation/Splunk/9.1.2/Updating/Aboutdeploymentserver 2: https://docs.splunk.com/Documentation/Splunk/9.1.2/Updating/Whentousedeploymentserver

 The following artifacts are included in a Splunk diag file:

Internal logs. These are the log files that Splunk generates to record its own activities, such as splunkd.log, metrics.log, audit.log, and others. These logs can help troubleshoot Splunk issues and monitor Splunk performance.

Configuration files. These are the files that Splunk uses to configure various aspects of its operation, such as server.conf, indexes.conf, props.conf, transforms.conf, and others. These files can help understand Splunk settings and behavior. The following artifacts are not included in a Splunk diag file:

OS settings. These are the settings of the operating system that Splunk runs on, such as the kernel version, the memory size, the disk space, and others. These settings are not part of the Splunk diag file, but they can be collected separately using the diag --os option.

Customer data. These are the data that Splunk indexes and makes searchable, such as the rawdata and the tsidx files. These data are not part of the Splunk diag file, as they may contain sensitive or confidential information. For more information, see Generate a diagnostic snapshot of your Splunk Enterprise deployment in the Splunk documentation.

 ITSI can impact the planning of a Splunk deployment depending on the Key Performance Indicators (KPIs) that are being tracked. KPIs are metrics that measure the health and performance of IT services and business processes. ITSI collects, analyzes, and displays KPI data from various data sources in Splunk. Depending on the number, frequency, and complexity of the KPIs, additional infrastructure may be needed to support the data ingestion, processing, and visualization. ITSI does not require a dedicated deployment server, nor does it affect the number of users using ITSI. ITSI in a Splunk deployment does require additional hardware resources, such as CPU, memory, and disk space, to run the ITSI components and apps