Splunk Enterprise Certified Architect SPLK-2002 Reddit Questions

To resync a stale KV Store member in a search head cluster, you need to stop the search head that has the stale KV Store member, run the command splunk clean kvstore --local, and then restart the search head. This triggers the initial synchronization from other KV Store members12.

The command splunk resync kvstore [-source sourceId] is used to resync the entire KV Store cluster from one of the members, not a single member. This command can only be invoked from the node that is operating as search head cluster captain2.

The command splunk clean eventdata -local is used to delete all indexed data from a standalone indexer or a cluster peer node, not to resync the KV Store3.

The correct action to take first if a deployment client is not updating apps is to choose a corrective action based on the splunkd.log of the deployment client. This log file contains information about the communication between the deployment server and the deployment client, and it can help identify the root cause of the problem1. The other actions may or may not help, depending on the situation, but they are not the first steps to take. Choosing a longer phone home interval may reduce the load on the deployment server, but it will also delay the updates for the deployment clients2. Increasing the number of CPU cores or the amount of memory for the deployment server may improve its performance, but it will not fix the issue if the problem is on the deployment client side3. Therefore, option C is the correct answer, and options A, B, and D are incorrect.

1: Troubleshoot deployment server issues 2: Configure deployment clients 3: Hardware and software requirements for the deployment server

Comprehensive and Detailed Explanation (From Splunk Enterprise Documentation)Splunk’s documentation on summary indexing and data-model acceleration clarifies that summary data is stored as additional indexed data on the indexers. Summary indexing produces new events—aggregations, rollups, scheduled search outputs—and stores them in summary indexes. Splunk explains that these summaries accumulate over time and require additional bucket storage, retention considerations, and sizing adjustments.

The documentation for accelerated data models further confirms that acceleration summaries are stored alongside raw data on indexers, increasing disk usage proportional to the acceleration workload. This makes summary indexing the only listed feature that strictly increases indexer storage demand.

In contrast, Search Head Clustering replicates configuration and knowledge objects across search heads—not on indexers. Indexer Discovery affects forwarder behavior, not storage. Indexer Acknowledgement controls data-delivery guarantees but does not create extra indexed content.

Therefore, only Index Summarization (summary indexing) directly increases indexer storage requirements.

Splunk provides various methods to change the internal logging levels in a Splunk environment to troubleshoot an issue. All of the options are valid ways to do so. Option A is correct because the Monitoring Console (MC) allows the administrator to view and modify the logging levels of various Splunk components through a graphical interface. Option B is correct because the Splunk command line provides the splunk set log-level command to change the logging levels of specific components or categories. Option C is correct because the Splunk Web provides the Settings > Server settings > Server logging page to change the logging levels of various components through a web interface. Option D is correct because the log-local.cfg file allows the administrator to manually edit the logging levels of various components by overriding the default settings in the log.cfg file123

1: