The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of
Splunk component instances are needed?
The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of
Splunk component instances are needed?
To handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, the necessary Splunk component instances include indexers for data storage and indexing, a search head for managing and processing search requests, a deployment server for centralized management of configurations, a license master for managing Splunk licenses centrally, and universal forwarders for data forwarding. This setup adheres to best practices for large-scale data ingestion and search operations.
C. All search heads and indexers should use a license master
Did anybody notice that "s" is missing from "universal forwarder" in option C. whereas all other components are given as plural. so I would go with A.
B, since the license master can reside on the search head/deployment instance
Wrong, C i correct
Because it asks for 'component', it doesn't matter where it sits.
I would add two heavy forwarders as intermediate forwarders for each linux and unix inputs
You may add for better design, but its not necessary
what is the final answer here pls confirm friends :)
C option
C is correct
Option C is the correct answer. According to best practices, a distributed deployment architecture is recommended for large-scale data ingestion and search operations. In this scenario, the volume of data from 50 Linux servers and 200 Windows servers requires multiple indexers, a search head, a deployment server, a license master, and universal forwarders. The indexers are responsible for storing and indexing the data, while the search head is responsible for managing and processing search requests. The deployment server is used to centrally manage configurations across multiple components in the deployment, and the license master is used to centrally manage Splunk licenses. Finally, the universal forwarder is installed on the servers that generate the data to forward the data to the indexers.
I think C is the correct answer
I'd say C. License master is definitely recommended with multiple indexers. Since we have multiple servers, we’ll likely use a lot of UFs, so deployment servers will be good to monitor UFs.
C System Admin module 9 pg 196
https://community.splunk.com/t5/Knowledge-Management/The-volume-of-data-from-collecting-log-files-from-50-Linux/m-p/522684 Answer is A.
B is the correct one because it says needed, the license master and the HF are recomendations for best practice but not needed. also the option B as the UFs in plural and the opcion C doesn't
https://community.splunk.com/t5/Knowledge-Management/The-volume-of-data-from-collecting-log-files-from-50-Linux/m-p/522684