A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance.
What is the best practice for installing ES?
Installing ES (Enterprise Security) on a dedicated search head is a best practice. This separation ensures that the critical applications on the existing search head will not be affected by the resource-intensive processes associated with ES. By adding a new search head and installing ES on it, you ensure good performance of ES without compromising the existing, mission-critical applications. Additionally, a separate search head can be optimized specifically for ES, leading to better overall performance and manageability.
B is correct Administering Splunk Enterprise Security 6.6.pdf 324P
C is correct
B. Read page 12 of the SVA. https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf