Splunk Enterprise Security Certified Admin — Question 70

ES apps and add-ons from $SPLUNK_HOME/etc/apps should be copied from the staging instance to what location on the cluster deployer instance?

Answer options

• A. $SPLUNK_HOME/etc/master-apps/
• B. $SPLUNK_HOME/etc/system/local/
• C. $SPLUNK_HOME/etc/shcluster/apps
• D. $SPLUNK_HOME/var/run/searchpeers/

Correct answer: C

Explanation

The correct location for copying ES apps and add-ons from the staging instance is $SPLUNK_HOME/etc/shcluster/apps, as this is where shared cluster applications are stored for deployment. The other options are incorrect because $SPLUNK_HOME/etc/master-apps/ is for master apps, $SPLUNK_HOME/etc/system/local/ is for local configuration files, and $SPLUNK_HOME/var/run/searchpeers/ is for runtime search peer data.