Splunk Core Certified User — Question 44

Which of the following Splunk components typically resides on the machines where data originates?

Answer options

• A. Indexer
• B. Forwarder
• C. Search head
• D. Deployment server

Correct answer: B

Explanation

The correct answer is B, Forwarder, as it is designed to collect and send log data from the source machines to the indexers. The Indexer (A) is responsible for storing and indexing the data, the Search head (C) is used for searching and analyzing the data, and the Deployment server (D) is utilized to manage configurations across various Splunk instances.