When running a real-time search, search results are pulled from which Splunk component?
When running a real-time search, search results are pulled from which Splunk component?
When running a real-time search in Splunk, search results are pulled from the search peers. A search peer, often synonymous with an indexer in a distributed search topology, is responsible for handling search requests from the search heads. These search peers contain and manage the indexed data, making them the source from which real-time search results are retrieved.
search peers
Agree Answer is D. Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer "search peer is a splunk platform instance that responds to search requests from a search head. The term "search peer" is usally synonymous with the indexer role in a distributed search topology. However, other instance types also have access to indexed data, particularly internal diagnostic data, and thus function as search peers when they respond to search requests for that data."
Regardless of real-time searches or not, should it always be "Search peers"?
According to "Search Phase: The Big Picture" in Data Admin pdf.... - Normal search-> access to Index in Indexer - Real Time search-> access to Indexing Queue between Parsing pipeline and Indexing Pipeline in Indexer That means Search Peer.