SPLK-2002 Leak Questions

The correct topology to ensure a scalable and performant deployment for the customer’s use case is two search head clusters, one for ITSI and one for ES. This configuration provides high availability, load balancing, and isolation for each Splunk app. According to the Splunk documentation1, ITSI and ES should not be installed on the same search head or search head cluster, as they have different requirements and may interfere with each other. Having two separate search head clusters allows each app to have its own dedicated resources and configuration, and avoids potential conflicts and performance issues1. The other options are not recommended, as they either have only one search head or search head cluster, which reduces the availability and scalability of the deployment, or they have both ITSI and ES installed on the same search head or search head cluster, which violates the best practices and may cause problems. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Splunk IT Service Intelligence and Splunk Enterprise Security compatibility

As per Splunk Enterprise Search Performance documentation, the most significant factor affecting search performance when querying across a large number of buckets is disk I/O throughput. A search that spans “All Time” forces Splunk to inspect all historical buckets (hot, warm, cold, and potentially frozen if thawed), even if only a few events match the query. This dramatically increases the amount of data read from disk, making the search bound by I/O performance rather than CPU or memory.

Increasing the number of indexing pipelines (Option B) only benefits data ingestion, not search performance. Changing to a real-time search (Option D) does not help because real-time searches are optimized for streaming new data, not historical queries. The indexed_realtime_use_by_default setting (Option C) applies only to streaming indexed real-time searches, not historical “All Time” searches.

To improve performance for such searches, Splunk documentation recommends enhancing disk I/O capability — typically through SSD storage, increased disk bandwidth, or optimized storage tiers. Additionally, creating summary indexes or accelerated data models may help for repeated “All Time” queries, but the most direct improvement comes from faster disk performance since Splunk must scan large numbers of buckets for even small result sets.

References (Splunk Enterprise Documentation):

• Search Performance Tuning and Optimization

• Understanding Bucket Search Mechanics and Disk I/O Impact

• limits.conf Parameters for Search Performance

• Storage and Hardware Sizing Guidelines for Indexers and Search Heads

A search head cluster is a group of Splunk Enterprise search heads that share configurations, job scheduling, and search artifacts1. The deployer is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members1. The local folder of each Splunk app contains the custom configurations that override the default settings2. The default folder of each Splunk app contains the default configurations that are provided by the app2.

By default, when the deployer pushes an app to the search head cluster, it merges the local folder of the app into the default folder and deploys the merged folder to the search heads3. This means that the custom configurations in the local folder will take precedence over the default settings in the default folder. However, this also means that the local folder of the app on the search heads will be empty, unless the app is modified through the search head UI3.

Option B is the correct answer because it reflects the default behavior of the deployer when pushing apps to the search head cluster. Option A is incorrect because the local folder is not copied to the local folder on the search heads, but merged into the default folder. Option C is incorrect because all the .conf files in the local folder are deployed to the search heads, not only certain ones. Option D is incorrect because the local folder is not ignored, but merged into the default folder.

According to the Splunk documentation1, metrics.log is a file that contains various metrics data for reviewing product behavior, such as pipeline, queue, thruput, and tcpout_connections. Metrics.log is stored in the _internal index by default2, which is a special index that contains internal logs and metrics for Splunk Enterprise. The other options are false because:

main is the default index for user data, not internal data3.

_telemetry is an index that contains data collected by the Splunk Telemetry feature, which sends anonymous usage and performance data to Splunk4.

_introspection is an index that contains data collected by the Splunk Monitoring Console, which monitors the health and performance of Splunk components.