SPLK-1003 Exam - Question 79

Question

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=*

What field can the administrator check to see the data distribution?

Examice · Accepted Answer

The correct field to check to see the data distribution amongst the indexers is splunk_server. The splunk_server field contains the name of the Splunk server that has indexed an event, which allows administrators to see how data is distributed across different indexers. By checking the splunk_server field, the administrator can determine the distribution of data across the different indexers in the Splunk environment.

gsplunker · Answer

Yes it is splunk_server that will list the indexers with event count

TeeCeeP · Answer

splunk_server its in the lab

leiot · Answer

i think its D

newrose · Answer

Shouldnt it be B

Salman23 · Answer

I would say A is correct,  When you perform a search and reporting app and get results, you will see on the left side selected fields if you click on hosts you will get all indexers link to the searchhead  with the count and percentages according the search results.

denominator · Answer

Module 9 lab pdf pg37  ans D

mngesha · Answer

not sure if splunk_server would be the silver bullet to get the data distribution. splunk_server would help to filter events based on indexer server for latency purposes as described in this link and is best positioned for the answer in this case.
D would be the closest answer in my humble opinion.
https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Searchdistributedpeers

SPLK-1003 Exam - Question 79

Discussion