When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

A. Auto

B. None

C. True

D. False

In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files.

What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

A. Total daily indexing volume, number of peer nodes, and number of accelerated searches.

B. Total daily indexing volume, number of peer nodes, replication factor, and search factor.

C. Total daily indexing volume, replication factor, search factor, and number of search heads.

D. Replication factor, search factor, number of accelerated searches, and total disk size across cluster.

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

A. Create a job server on the cluster.

B. Add another search head to the cluster.

C. server.conf captain_is_adhoc_searchhead = true.

D. Change limits.conf value for max_searches_per_cpu to a higher value.

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

A. adhoc_searchhead = true (on all members)

B. adhoc_searchhead = true (on the current captain)

C. captain_is_adhoc_searchhead = true (on all members)

D. captain_is_adhoc_searchhead = true (on the current captain)

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

A. kvstore.conf

B. collection.conf

C. collections.conf

D. kvcollections.conf

When adding or decommissioning a member from a Search Head Cluster (SHC), what is the proper order of operations?

A. 1. Delete Splunk Enterprise, if it exists.

2.

Install and initialize the instance.

3.

Join the SHC.

B. 1. Install and initialize the instance.

2.

Delete Splunk Enterprise, if it exists.

3.

Join the SHC.

C. 1. Initialize cluster rebalance operation.

2.

Remove master node from cluster.

3.

Trigger replication.

D. 1. Trigger replication.

2.

Remove master node from cluster.

3.

Initialize cluster rebalance operation.

When converting from a single-site to a multi-site cluster, what happens to existing single-site clustered buckets?

A. They will continue to replicate within the origin site and age out based on existing policies.

B. They will maintain replication as required according to the single-site policies, but never age out.

C. They will be replicated across all peers in the multi-site cluster and age out based on existing policies.

D. They will stop replicating within the single-site and remain on the indexer they reside on and age out according to existing policies.

How does the average run time of all searches relate to the available CPU cores on the indexers?

A. Average run time is independent of the number of CPU cores on the indexers.

B. Average run time decreases as the number of CPU cores on the indexers decreases.

C. Average run time increases as the number of CPU cores on the indexers decreases.

D. Average run time increases as the number of CPU cores on the indexers increases.

A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)

A. The field was extracted as a private knowledge object.

B. The events are tagged as communicate, but are missing the network tag.

C. The Typing Queue, which does regular expression replacements, is blocked.

D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.

Which of the following statements describe search head clustering? (Select all that apply.)

A. A deployer is required.

B. At least three search heads are needed.

C. Search heads must meet the high-performance reference server requirements.

D. The deployer must have sufficient CPU and network resources to process service requests and push configurations.