Splunk Enterprise Certified Architect — Question 30

Which index does Splunk use to record user activities?

Answer options

• A. _internal
• B. _kvstore
• C. _telemetry
• D. _audit

Correct answer: D

Explanation

The correct answer is D, _audit, as it specifically tracks user actions and access in Splunk. The other options serve different purposes; _internal records internal processing logs, _kvstore is for storing key-value pairs, and _telemetry is used for system performance metrics.