Splunk Enterprise Security Certified Analyst — Question 1

When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs?

Answer options

• A. The new search head connects to the captain and replays any recent configuration changes to bring it up to date.
• B. The new search head connects to the deployer and replays any recent configuration changes to bring it up to date.
• C. The new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date.
• D. The new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date.

Correct answer: D

Explanation

The correct answer is D because when a new search head is added, it first connects to the deployer to obtain the latest configuration bundle. Afterward, it connects to the captain to apply any recent configuration changes. Options A, B, and C are incorrect as they do not accurately describe the correct sequence of connections and actions that occur during this process.