Splunk Core Certified Advanced Power User — Question 109

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

Answer options

• A. Indexer
• B. Deployment server
• C. Universal forwarder
• D. Search head

Correct answer: D

Explanation

The correct answer is D, the Search head, as it allows for the management of user access and visibility of reports and knowledge objects. The Indexer (A) is responsible for data storage and indexing, the Deployment server (B) is for managing configurations across instances, and the Universal forwarder (C) is used for data forwarding, none of which provide the necessary access control features required by the Compliance Department.