The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=*
What field can the administrator check to see the data distribution?
The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=*
What field can the administrator check to see the data distribution?
The correct field to check to see the data distribution amongst the indexers is splunk_server. The splunk_server field contains the name of the Splunk server that has indexed an event, which allows administrators to see how data is distributed across different indexers. By checking the splunk_server field, the administrator can determine the distribution of data across the different indexers in the Splunk environment.
Yes it is splunk_server that will list the indexers with event count
Agreed it's D. Quoting the Splunk Reference URL https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404
splunk_server its in the lab
i think its D
not sure if splunk_server would be the silver bullet to get the data distribution. splunk_server would help to filter events based on indexer server for latency purposes as described in this link and is best positioned for the answer in this case. D would be the closest answer in my humble opinion. https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Searchdistributedpeers
Module 9 lab pdf pg37 ans D
System Admin Lab
I would say A is correct, When you perform a search and reporting app and get results, you will see on the left side selected fields if you click on hosts you will get all indexers link to the searchhead with the count and percentages according the search results.
Shouldnt it be B
it says indexers not indexes, right?