Splunk Core Certified Advanced Power User — Question 139

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X,Y). During a search executed on search head X, indexer A crashes. What is Splunk’s response?

Answer options

• A. Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.
• B. Update the user in Splunk web informing them that the results of their search may be incomplete.
• C. Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.
• D. Repeat the search request on indexer B without informing the user.

Correct answer: B

Explanation

The correct answer is B because when an indexer fails, Splunk informs the user that the search results may be incomplete. Option A is incorrect because it suggests switching search heads, which is not the immediate response. Option C is wrong as Splunk does not automatically re-execute the search without user intervention. Option D is not valid since it does not inform the user of the issue.