Splunk Infrastructure Overview — Question 38

When running a search, which Splunk component retrieves the individual results?

Answer options

• A. Indexer
• B. Search head
• C. Universal forwarder
• D. Master node

Correct answer: A

Explanation

The Indexer is the component that stores and retrieves the actual event data, providing the individual search results. The Search head is responsible for managing search requests and displaying results, but it does not retrieve them. The Universal forwarder is used for data input and forwarding, while the Master node manages indexers in a clustered environment.