Monitoring Console (MC) health check configuration items are stored in which configuration file?
A. healthcheck.conf
B. alert_actions.conf
C. distsearch.conf
D. checklist.conf
Which statement is true about subsearches?
A. Subsearches are faster than other types of searches.
B. Subsearches work best for joining two large result sets.
C. Subsearches run at the same time as their outer search.
D. Subsearches work best for small result sets.
A customer has a new set of hardware to replace their aging indexers. What method would reduce the amount of bucket replication operations during the migration process?
A. Disable the indexing ports on the old indexers.
B. Disable replication ports on the old indexers.
C. Put the old indexers into manual detention.
D. Put the old indexers into automatic detention.
A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages. Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?
A. The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
B. The SHC will stop all scheduled search activity within the SHC.
C. The SHC will function as expected as the minimum required number of nodes for a SHC is 3.
D. The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.
The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?
A. 1. Install new indexers.
2.
Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.
3.
Decommission old peers one at a time.
4.
Remove old peers from the CM's list.
5.
Update forwarders to forward to the new peers.
B. 1. Install new indexers.
2.
Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.
3.
Decommission old peers one at a time.
4.
Remove old peers from the CM's list.
5.
Update forwarders to forward to the new peers.
C. 1. Install new indexers.
2.
Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.
3.
Update forwarders to forward to the new peers.
4.
Decommission old peers on at a time.
5.
Restart the cluster master (CM).
D. 1. Install new indexers.
2.
Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.
3.
Update forwarders to forward to the new peers.
4.
Decommission old peers one at a time.
5.
Remove old peers from the CM's list.
What happens when an index cluster peer freezes a bucket?
A. All indexers with a copy of the bucket will delete it.
B. The cluster master will ensure another copy of the bucket is made on the other peers to meet the replication settings.
C. The cluster master will no longer perform fix-up activities for the bucket.
D. All indexers with a copy of the bucket will immediately roll it to frozen.
A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?
A. Enter the license master configuration via Splunk web on each indexer before disabling Splunk web.
B. Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle.
C. Update the Splunk PS base config license app and copy to each indexer.
D. Update the Splunk PS base config license app and deploy via the cluster master.
Consider the search shown below.

What is this search's intended function?
A. To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
B. To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.
C. To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.
D. To search the firewall index for web logs that have been denied and are of high severity.
The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?
A. Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design.
B. Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision.
C. Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design.
D. Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.
Which statement is correct?
A. In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.
B. As a streaming command, streamstats performs better than stats since stats is just a reporting command.
C. When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.
D. Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.