Splunk Enterprise Security Certified Admin — Question 12

Which of the following actions can improve overall search performance?

Answer options

• A. Disable indexed real-time search.
• B. Increase priority of all correlation searches.
• C. Reduce the frequency (schedule) of lower-priority correlation searches.
• D. Add notable event suppressions for correlation searches with high numbers of false positives.

Correct answer: C

Explanation

Option C is correct because reducing the frequency of lower-priority correlation searches allows the system to allocate resources more effectively to higher-priority tasks, improving overall performance. Options A and B may not directly enhance search performance, while D addresses false positives but does not necessarily improve search efficiency.