Splunk Enterprise Certified Architect SPLK-2002 Splunk Study Notes

 A Splunk job is a search process that is kicked off via a report, an alert, or a user action. A Splunk job is a child OS process manifested from the splunkd process, which is the main Splunk daemon. A Splunk job is subjected to some usage quota, such as memory, CPU, and disk space, which can be configured in the limits.conf file. A Splunk job is not a user-defined Splunk capability, as it is a core feature of the Splunk platform.

 A collection is defined in the collections.conf file, which specifies the name, schema, and permissions of the collection. The kvstore.conf file is used to configure the KV store settings, such as the port, SSL, and replication factor. The other two files do not exist1

To determine where a Splunk forwarder is attempting to send its data, administrators can search within the _internal index using the metrics logs generated by the forwarder’s Splunkd process. The correct and documented search is:

index=_internal sourcetype=splunkd metrics destHost | dedup destHost

The _internal index contains detailed operational logs from the Splunkd process, including metrics on network connections, indexing pipelines, and output groups. The field destHost records the destination indexer(s) to which the forwarder is attempting to send data. Using dedup destHost ensures that only unique destination hosts are shown.

This search is particularly useful for troubleshooting forwarding issues, such as connection failures, misconfigurations in outputs.conf, or load-balancing behavior in multi-indexer setups.

Other listed options are invalid or incorrect because:

sourcetype=internal does not exist.

index=_metrics is not where Splunk stores forwarding telemetry.

The field inputHost identifies the source host, not the destination.

Thus, Option D aligns with Splunk’s official troubleshooting practices for forwarder-to-indexer communication validation.

References (Splunk Enterprise Documentation):

• Monitoring Forwarder Connections and Destinations

• Troubleshooting Forwarding Using Internal Logs

• _internal Index Reference – Metrics and destHost Fields

• outputs.conf – Verifying Forwarder Data Routing and Connectivity

Migration from single-site to multisite index replication only affects new data, not existing data. Multisite policies apply to new data only, meaning that data that is ingested after the migration will follow the multisite replication and search factors. Existing data, or data that was ingested before the migration, will retain the single-site policies, unless they are manually converted to multisite buckets. Single-site buckets do not instantly receive the multisite policies, nor do they automatically convert to multisite buckets. Multisite total values can exceed any single-site factors, as long as they do not exceed the number of peer nodes in the cluster. A master node is not required at each site, only one master node is needed for the entire cluster