Which of the following indexes come pre-configured with Splunk Enterprise? (Choose all that apply.)
Which of the following indexes come pre-configured with Splunk Enterprise? (Choose all that apply.)
Splunk Enterprise comes pre-configured with several indexes to help manage its functions and logs. _internal is used for Splunk Enterprise's internal logs and processing metrics. _thefishbucket stores metadata about the files Splunk is monitoring, such as seek pointers and CRCs, which helps Splunk determine if a file has already been read. These indexes are part of the default setup and do not need manual configuration.
B & D - pg 95 SysAdmin pdf
BD are the options
B and D are my final answers
B & D sounds better
B & D are correct
Splunk Enterprise comes with a number of preconfigured indexes, including: main: This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified. _internal: Stores Splunk Enterprise internal logs and processing metrics. _audit: Contains events related to the file system change monitor, auditing, and all user search history. Since the only choice available is "_internal" the answer is B. Ref: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Howindexingworks
B, D are the correct answer. After installing Splunk 8.2 on my local machine I checked the default indexes.conf, and there is the fishbucket index configured.
Agreed B and D. Quoting the Splunk Reference URL https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html "t’s time for a little Indexing 101. If you look in the directory where your Splunk datastore resides (default location /opt/splunk/var/lib/splunk) you will find a directory called fishbucket. This index is not really intended for normal humans to investigate, more just Splunk engineers trying to decipher file input issues. It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. To see what’s there, try searching for “index=_thefishbucket”. Events look something like this:"
B and D System Admin Slide 105
Answer B & C
Sorry The correct are B & D
I believe the only answer is B. The other preconfigured indexes are: main: The default Splunk Enterprise index. All processed external data is stored here unless otherwise specified. _internal: This index includes Splunk Enterprise internal logs. _metrics: This index contains Splunk Enterprise internal data, stored in the form of metric data points. _audit: Events from the file system change monitor, auditing, and all user search history. _introspection: This index provides data about the Splunk Enterprise instance and environment . https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Aboutmanagingindexes
_thefishbucket is also preconfigured. Just checked on my installation. Can confirm B and D
_thefishbucket looks decommitted https://community.splunk.com/t5/Splunk-Search/How-do-I-activate-quot-thefishbucket-quot-index/m-p/410263
B and D
B & D are correct
B and D _internal To index Splunk’s own logs and metrics _audit To store Splunk audit trails and other optional auditing information _introspection To track system performance, Splunk resource usage data, and provide Monitoring Console (MC) with performance data _thefishbucket To contain checkpoint information for file monitoring inputs summary Default index for summary indexing system main Default index for inputs; located in the defaultdb directory
B and D