Splunk Enterprise Security Certified Admin — Question 25

A customer site is experiencing poor performance. The UI response time is high and searches take a very long time to run. Some operations time out and there are errors in the scheduler logs, indicating too many concurrent searches are being started. 6 total correlation searches are scheduled and they have already been tuned to weed out false positives.
Which of the following options is most likely to help performance?

Answer options

• A. Change the search heads to do local indexing of summary searches.
• B. Add heavy forwarders between the universal forwarders and indexers so inputs can be parsed before indexing.
• C. Increase memory and CPUs on the search head(s) and add additional indexers.
• D. If indexed realtime search is enabled, disable it for the notable index.

Correct answer: C

Explanation

Increasing the memory and CPUs on the search head(s) along with adding additional indexers can significantly improve performance by allowing more concurrent searches to be handled efficiently. Options A and B do not address the core issue of concurrent search limitations, and option D may not resolve the overall performance problem since it targets only indexed real-time search.