How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
To configure your distsearch.conf for the provided search, you need to specify the complete set of servers in the [distributedSearch] stanza with the correct URI format (hostname:port). You should also define individual groups like [distributedSearch:HOUSTON] with the specific servers that the group contains. The correct format is demonstrated in option C, where the servers are listed properly with their respective ports and grouped accordingly. This allows the search to correctly refer to the HOUSTON group with splunk_server_group=HOUSTON.
I think C is Ans. https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/Distributedsearchgroups
In my opinion it is C: Example from https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/Distributedsearchgroups: [distributedSearch] # This stanza lists the full set of search peers. servers = 192.168.1.1:8089, 192.168.1.2:8089, 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089 [distributedSearch:NYC] # This stanza lists the set of search peers in New York. default = false servers = 192.168.1.1:8089, 192.168.1.2:8089 [distributedSearch:SF] # This stanza lists the set of search peers in San Francisco. default = false servers = 175.143.1.1:8089, 175.143.1.2:8089, 175.143.1.3:8089 And specifications from distsearch.conf: servers = <comma-separated list> * An initial list of servers. * Each member of this list must be a valid URI in the format of scheme://hostname:port
The answer is C.. Refer link - https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups
C is correct
see https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups The servers attribute lists groups of search peers by IP address and management port. The servers list for each search group must be a subset of the list in the general [distributedSearch] stanza.
Is C, others have invalid parameter separator, port and invalid stanza for distsearch
i think d is ans
100% not D. You can't have ports over 65,535.
Plus they are supposed to be comma separated, not colons
A is also correct to me: "the full set of search peers in the [distributedSearch] stanza will be queried when the search does not specify a search group." https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/Distributedsearchgroups Here the search specifies the search group
B I think
I would choose C https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups
C is Ans