Splunk Enterprise Security Certified Admin — Question 37

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance.
What is the best practice for installing ES?

Answer options

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Correct answer: B

Explanation

The best practice is to add a new search head and install ES on it to ensure optimal performance and maintain the integrity of existing applications. Installing ES on the current search head could lead to resource contention, while increasing resources or removing non-CIM apps does not address the need for separation of critical workloads.