Splunk Enterprise Certified Architect — Question 41

The performance of a specific search is performing poorly. The search must run over All Time and is expected to have very few results. Analysis shows that the search accesses a very large number of buckets in a large index.

What step would most significantly improve the performance of this search?

Answer options

• A. Change this to a real-time search using an All Time window.
• B. Increase the number of indexing pipelines.
• C. Increase the disk I/O hardware performance.
• D. Set indexed_realtime_use_by_default = true in limits.conf.

Correct answer: C

Explanation

Improving disk I/O hardware performance (option C) is the most effective way to enhance search performance, especially when dealing with a large index and many buckets. The other options either do not address the core issue of I/O bottlenecks or may complicate the search process without improving efficiency.