Splunk Enterprise Security Certified Analyst — Question 25

A new single-site three indexer cluster is being stood up with replication_factor:2, search_factor:2. At which step would the Indexer Cluster be classed as "˜Indexing Ready' and be able to ingest new data?
Step 1: Install and configure Cluster Master (CM)/Master Node with base clustering stanza settings, restarting CM.
Step 2: Configure a base app in etc/master-apps on the CM to enable a splunktcp input on port 9997 and deploy index creation configurations.
Step 3: Install and configure Indexer 1 so that once restarted, it contacts the CM, download the latest config bundle.
Step 4: Indexer 1 restarts and has successfully joined the cluster.
Step 5: Install and configure Indexer 2 so that once restarted, it contacts the CM, downloads the latest config bundle
Step 6: Indexer 2 restarts and has successfully joined the cluster.
Step 7: Install and configure Indexer 3 so that once restarted, it contacts the CM, downloads the latest config bundle.
Step 8: Indexer 3 restarts and has successfully joined the cluster.

Answer options

• A. Step 2
• B. Step 4
• C. Step 6
• D. Step 8

Correct answer: C

Explanation

The Indexer Cluster is considered 'Indexing Ready' when all indexers have successfully joined the cluster, which occurs after Step 6 when Indexer 2 has restarted and connected to the Cluster Master. Steps 2 and 4 do not fulfill the requirement for all indexers to be operational, while Step 8 is beyond the necessary point for indexing readiness.