SPLK-2002 Exam Format | SPLK-2002 Course Contents | SPLK-2002 Course Outline | SPLK-2002 Exam Syllabus | SPLK-2002 Exam Objectives

Length: 90 minutes
Format: 85 multiple choice questions
Delivery: Exam is given by our testing partner Pearson VUE

- Introduction
- Describe a deployment plan
- Define the deployment process

- Project Requirements
- Identify critical information about environment, volume, users, and requirements
- Apply checklists and resources to aid in collecting requirements

- Infrastructure Planning: Index Design
- Understand design and size indexes
- Estimate non-smart store related storage requirements
- Identify relevant apps

- Infrastructure Planning: Resource Planning
- List sizing considerations
- Identify disk storage requirements
- Define hardware requirements for various Splunk components
- Describe ES considerations for sizing and topology
- Describe ITSI considerations for sizing and topology
- Describe security, privacy, and integrity measures

- Clustering Overview
- Identify non-smart store related storage and disk usage requirements
- Identify search head clustering requirements
- Forwarder and Deployment Best Practices 6%
- Identify best practices for forwarder tier design
- Understand configuration management for all Splunk components, using Splunk deployment tools

- Performance Monitoring and Tuning
- Use limits.conf to improve performance
- Use indexes.conf to manage bucket size
- Tune props.conf
- Improve search performance

- Splunk Troubleshooting Methods and Tools
- Splunk diagnostic resources and tools

- Clarifying the Problem
- Identify Splunk’s internal log files
- Identify Splunk’s internal indexes

- Licensing and Crash Problems
- License issues
- Crash issues

- Configuration Problems
- Input issues

- Search Problems
- Search issues
- Job inspector

- Deployment Problems
- Forwarding issues
- Deployment server issues

- Large-scale Splunk Deployment Overview
- Identify Splunk server roles in clusters
- License Master configuration in a clustered environment

- Single-site Indexer Cluster
- Splunk single-site indexer cluster configuration

- Multisite Indexer Cluster
- Splunk multisite indexer cluster overview
- Multisite indexer cluster configuration
- Cluster migration and upgrade considerations

- Indexer Cluster Management and Administration
- Indexer cluster storage utilization options
- Peer offline and decommission
- Master app bundles
- Monitoring Console for indexer cluster environment

- Search Head Cluster
- Splunk search head cluster overview
- Search head cluster configuration

- Search Head Cluster Management and Administration
- Search head cluster deployer
- Captaincy transfer
- Search head member addition and decommissioning
- KV Store Collection and Lookup Management
- KV Store collection in Splunk clusters

- Splunk Deployment Methodology and Architecture
- Planning and Designing Splunk Environments:
- Understand Splunk deployment methodologies for small, medium, and large-scale environments.
- Design distributed architectures to handle high data volumes efficiently.
- Plan for redundancy, load balancing, and scalability.

- Indexers: Store and index data for search and analysis.
- Search Heads: Manage search requests and distribute them across indexers.
- Forwarders: Collect and forward data to indexers (e.g., Universal Forwarder, Heavy Forwarder).
- Deployment Server: Manages configurations for forwarders and other Splunk components.
- Cluster Master: Oversees indexer clustering for replication and high availability.
- Distributed Deployment:
- Configure indexer and search head clustering for redundancy and performance.
- Implement high availability (HA) through failover mechanisms.
- Design scalable systems with horizontal scaling (adding more indexers or search heads).
- Terminologies:
- Indexer Clustering: Grouping indexers to replicate data for redundancy.
- Search Head Clustering: Grouping search heads for load balancing and HA.
- Replication Factor: Number of data copies maintained in an indexer cluster.
- Search Factor: Number of searchable data copies in an indexer cluster.
- Bucket: A storage unit for indexed data (hot, warm, cold, frozen).

- Data Ingestion and Indexing
- Data Inputs Configuration:
- Configure data inputs (e.g., files, directories, network inputs, scripted inputs).
- Manage source types and ensure consistent event formatting.
- Handle data from various sources (syslog, HTTP Event Collector, etc.).
- Indexing Processes:
- Understand data parsing, indexing, and storage processes.
- Configure indexes for performance and retention policies.
- Optimize indexing pipelines for high-throughput environments.
- Data Integrity and Compression:
- Ensure data integrity during ingestion and indexing.
- Understand Splunk’s data compression (e.g., rawdata and tsidx files).
- Estimate disk storage requirements (e.g., rawdata ~15%, tsidx ~35% for syslog data).

- Source Type: Metadata defining how Splunk parses incoming data.
- Rawdata: Uncompressed event data stored in buckets.
- Tsidx: Time-series index files for efficient searching.
- Event Breaking: Process of splitting raw data into individual events.
- Hot/Warm/Cold Buckets: Stages of data storage based on age and access frequency.

- Search and Reporting
- Search Processing Language (SPL):
- Write and optimize complex SPL queries for searching and reporting.
- Use commands like stats, eval, rex, and lookup for data analysis.
- Knowledge Objects:
- Create and manage knowledge objects (e.g., saved searches, reports, dashboards, field extractions).
- Understand permissions and sharing of knowledge objects.
- Search Optimization:
- Optimize search performance in distributed environments.
- Configure search pipelines and limits (e.g., limits.conf).
- Use data models and accelerated searches for faster results.

- Knowledge Objects: Reusable components like searches, dashboards, and lookups.
- Data Model: Structured dataset for pivoting and reporting.
- Accelerated Search: Pre-computed summaries for faster search results.
- Search Head: Component that executes searches and renders results.

- Security and User Management
- Authentication and Authorization:
- Configure user authentication (e.g., LDAP, SAML, Splunk native).
- Manage roles, capabilities, and access controls.
- Data Security:
- Implement data encryption for Splunk Web, splunkd, and distributed search.
- Configure certificate authentication between forwarders and indexers.
- Audit and Compliance:
- Monitor audit trails for user activity and system changes.
- Ensure compliance with security standards.

- Role: A set of permissions assigned to users.
- Capability: Specific actions a role can perform (e.g., run searches, edit indexes).
- Splunkd: The core Splunk daemon handling indexing and search.
- KV Store: Key-value store for storing application data.

- Clustering and High Availability
- Indexer Clustering:
- Configure replication and search factors for data redundancy.
- Manage bucket replication and recovery.
- Search Head Clustering:
- Set up search head clusters for load balancing and HA.
- Use splunk apply shcluster-bundle and splunk resync shcluster-replicated-config for configuration synchronization.
- High Availability:
- Ensure continuous availability through failover and redundancy.
- Increase replication factor for searchable data HA.

- Cluster Master: Manages indexer cluster operations.
- Peer Node: An indexer in a cluster.
- Search Head Cluster: Group of search heads for distributed search.
- Raft: Consensus algorithm for search head clustering.

- Performance Tuning and Troubleshooting
- Performance Optimization:
- Increase parallel ingestion pipelines (server.conf) for indexing performance.
- Adjust hot bucket limits (indexes.conf) and search concurrency (limits.conf).
- Monitor system resources (CPU, memory, IOPS) for bottlenecks.
- Troubleshooting:
- Diagnose connectivity issues using tools like tcpdump and splunk btool.
- Analyze splunkd.log for deployment server issues.
- Resolve inconsistent event formatting due to misconfigured forwarders or source types.

- IOPS: Input/Output Operations Per Second, a measure of disk performance.
- Splunk Btool: Command-line tool for configuration validation.
- KV Store: Used for storing and retrieving configuration data.
- Monitoring Console: Splunk’s built-in tool for monitoring deployment health.

- Integration with Third-Party Systems
- Third-Party Integration:
- Integrate Splunk with Hadoop for searching HDFS data.
- Configure Splunk to work with external systems via APIs or add-ons.
- Data Sharing:
- Enable Splunk to share data with external applications.
- Use Splunk’s REST API for programmatic access.

- HDFS: Hadoop Distributed File System.
- REST API: Splunk’s interface for external integrations.
- Add-on: Modular component for integrating with specific data sources.

- Forwarder: Collects and sends data to indexers (Universal, Heavy, Cloud).
- Indexer: Processes and stores data for searching.
- Search Head: Manages search queries and user interfaces.
- Cluster Master: Coordinates indexer clustering.
- Replication Factor: Number of data copies in an indexer cluster.
- Search Factor: Number of searchable data copies.
- Bucket: Data storage unit (hot, warm, cold, frozen).
- Source Type: Metadata for parsing data.
- Rawdata: Uncompressed event data.
- Tsidx: Time-series index for efficient searches.
- Knowledge Objects: Reusable components like searches and dashboards.
- Data Model: Structured dataset for reporting.
- KV Store: Key-value storage for configurations.
- Splunkd: Core Splunk service.
- Btool: Tool for troubleshooting configurations.
- IOPS: Disk performance metric.
- HDFS: Hadoop file system for big data.