Exam SPLK-3003 All QuestionsBrowse all questions from this exam
Go to Exam
Question 23

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week's worth of data and are quite sensitive to search performance.

Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

    Correct Answer: A

    To meet the requirements of keeping 50GB of data searchable for a minimum of 30 days and ensuring search performance with hourly scheduled searches, the following indexes.conf settings are relevant: 'frozenTimePeriodInSecs' to define data retention time, 'maxDataSize' to manage the size of hot buckets, 'maxVolumeDataSizeMB' to control the volume size, and 'maxHotBuckets' to regulate the number of active hot buckets. This combination ensures data retention, efficient bucket management, and optimal search performance.

Discussion
RedYetiOption: A

maxDataSize: Maximum size that a hot bucket can reach before rolling to warm, use auto_high_volume for high-volume indexes (>10GB per day). maxHotBuckets: maximum number of hot buckets that can exist per index. frozenTimePeriodInSecs: number of seconds after which indexed data rolls to frozen. ---------- "50GB of data per day per indexer" means to set maxDataSize to auto_high_volume and maxHotBuckets not to auto but to a high value (10) => not answer D and C "data searchable for a minimum of 30 days" means to set frozenTimePeriodInSecs => not answer B So answer is A

LearningDaniOption: A

I think it's A > 'maxDataSize' should be to 'auto_high_volume', because A "high volume index" would typically be considered one that gets over 10GB of data per day. > 'maxHotBuckets' - this defines the maximum number of simultaneously open hot buckets (actively being written to). For indexes that receive a lot of data, this should be 10, other indexes can safely keep the default > 'maxVolumeDataSizeMB' should also be set to define the size the volume > 'frozenTimePeriodInSecs' for sure to set retention time

noyshererOption: D

I think it is D https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Indexesconf

spl_bonnOption: A

I agree also that A is the correct one.

RedtonyeahOption: A

A is more completed than C, so A

sunil299Option: B

maxGlobalDataSizeMB is primarily for smartstore.

bobixakaOption: C

In the Splunk PS Base App org_all_indexes in indexes.conf you have this: [customer_index] disabled = false homePath = volume:primary/$_index_name/db coldPath = volume:primary/$_index_name/colddb thawedPath = volume:primary/$_index_name/thaweddb frozenTimePeriodInSecs = 31536000 maxTotalDataSizeMB = 102400 maxDataSize = auto/auto_high_volume That's all you need. As mentioned everything works fine, no drops, no restarts no bursts of data. You have ideal conditions, so you can use all default settings. 50GB/day is not so much for an indexer to handle using default settings. You don't need to specify maxHotBuckets, the default "auto" value is fine here. A is not correct. You don't need maxGlobalDataSizeMB here, because it's for SmartStore. B is not correct. You don't need to specify maxWarmDBCount and maxHotSpanSecs, so D is not correct.

BMS0598Option: B

Considering B as the correct answer because the question states that the data should be searchable for a MINIMUM of 30 days, but it doesn't necessarily mean the buckets older than 30 days need to be moved to frozen. Option B focuses more on settings related to storage which could be used to set an appropriate storage size limit if you do the math correctly based on the fact they tell you that 50GB are ingested per day per indexer and that no drops/bursts of data will happen. So the question seems to be more focused on using storage-related settings to keep the buckets searchable for at least 30 days. Also, chatGPT suggests the correct answer is B.