Which index-time props.conf attributes impact indexing performance? (Select all that apply.)
Which index-time props.conf attributes impact indexing performance? (Select all that apply.)
When considering props.conf attributes that impact indexing performance, LINE_BREAKER and SHOULD_LINEMERGE are critical. LINE_BREAKER is used to delimit multi-line events efficiently, providing a significant boost to processing speed. SHOULD_LINEMERGE, on the other hand, controls whether Splunk should attempt to merge lines into a single event, which can impact performance if not managed properly. REPORT is used for field extraction and does not directly impact indexing performance. While ANNOTATE_PUNCT deals with indexing punctuation, it does not significantly influence performance like the other two attributes.
BCD - pg141-143 architecting splunk pdf
Answers are BCD - pq 141 Architecting Splunk pdf
verified in PDF, pg 141 as dpharker stated
Nothing in Splunk's docs specifically say that ANNOTATE_PUNCT will improve performance (it obviously will but so will a ton of other settings, and it's negligible), whereas it's consistently called out that LINE_BREAKER and SHOULD_LINEMERGE go hand in hand and will affect performance greatly. Is the exam tricking us? from props.conf: * NOTE: You get a significant boost to processing speed when you use LINE_BREAKER to delimit multi-line events (as opposed to using SHOULD_LINEMERGE to reassemble individual lines into multi-line events). * When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set to false, to ensure no further combination of delimited events occurs.
Answers are B, C and D: ANNOTATE_PUNCT (AP) and SHOULD_LINEMERGE (LM) which goes hand-in-hand with LINE_BREAKER (LB). See chapter "Tune props.conf" of Architecting Splunk Enterprise Deployment. The best indexing pipelines test results are when AP and LM (so LB too) are configured.
bcd are correct
This is a very tricky question. Answer C is questionable. Architecting PDF pages141 and 143 states that Indexing time improves significantly by including the ANNOTATE_PUNCT parameter. Troubleshooting PDF page 52 shows the "Great 8" rules per sourcetype will maximize the indexing performance, but they don't include the ANNOTATE_PUNCT parameter.
I will just SAY BCD are the correct ones and left this Annotation Processor configured ANNOTATE_PUNCT = <boolean> * Determines whether to index a special token starting with "punct::" * The "punct::" key contains punctuation in the text of the event. It can be useful for finding similar events * If it is not useful for your dataset, or if it ends up taking too much space in your index it is safe to disable it * Default: true
Answer should be C and D ANNOTATE_PUNCT = <boolean> * If it is not useful for your dataset, or if it ends up taking too much space in your index it is safe to disable it * Default: true
Answer CD was right. 1) The REPORT option is used to order stanzas when extracting fields 2) ANNOTATE_PUNKT extracts punctuation characters from events (and doesn't influence common performance) 3) LINE_BREAKER helps to separate multi-line events to different lines (improves performance) 4) SHOULD_LINEMERGE combines lines of data to multiline events (decreases performance). Source: https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Propsconf
From what you just said we can clearly see that B is also Correct as it affects performance.