Which of the following is a benefit of distributed search?
Which of the following is a benefit of distributed search?
Distributed search allows multiple peers to execute searches simultaneously, significantly improving search efficiency and performance by running searches in parallel across different peers. This parallel processing capability is one of the key benefits of distributed search systems.
Correct answer is B
Using Splunk docs URL reference https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.
I think B and C are correct. According to SysAdmin pdf in Module 10: Distributed Search "when an indexer goes down: – The offline indexer does not participate in searches; – The remaining indexers handle all indexing and searches" => the very definition of "C. Resilience from indexer failure."
But other indexers won't have the data, that would be otherwise in the indexer that went down. Indeed, in the indexer, even if one indexer would go down, other indexers (if it was properly configurated) would have the same copies of data.
in the indexer cluster*
B and C may be correct.
But C isn't since doesnt provide indexer resilience
When indexer goes down remaining indexers handle all indexing
B is correct. as per document Sys Admin documentation page 190. C and D are incorrect because the question does not mention about clusters. A is not correct, I've never heard about search in sequence on peers.
in my humble opinion B & C would be the right answers yet if only one answer is deemed correct I would prioritize B.
think its c
B is correct, C would be correct if question was about indexers cluster. In this case is just about standalone indexers.
If B is correct, how do "standalone indexers" "run searches in parallel"?
Because when you search the data you are searching for could be on one or more indexers. So if half your forwarders send to indexer A and half to indexer B, when you run a search across a sourcetype it would run in parallel across multiple indexers
I would go with B and D
Sorry B
Friends, could you please confirm this answer?
Answer B system admin "distributed Search" Users log on to the search head and run reports–The search head dispatches searches to the peers–Peers run searches in parallel and return their portion of results–The search head consolidates the individual results and prepares reports
Distributed search provides horizontal scaling, so that a single Splunk Enterprise deployment can search and index arbitrarily large amounts of data. Distributed search is also useful for correlating data across data silos. https://docs.splunk.com/Splexicon:Distributedsearch
i agree with B
Who cares if a search head goes down, only negative is it takes longer to complete your search.
B - Distributed search reduce search processing by running in parallel to indexers
Correct Answer: B
B & D
Option B is correct, if there were option to select more than 1 then B and C
B. Peers run search in parallel. Distributed search allows a search to be split across multiple indexers and searched in parallel, significantly reducing search time. Additionally, distributed search provides resilience from search head failure, as the search can be restarted from another search head in the cluster.
B is correct