Splunk Enterprise Security Certified Analyst — Question 34

A customer has the following Splunk instances within their environment: An indexer cluster consisting of a cluster master/master node and five clustered indexers, two search heads (no search head clustering), a deployment server, and a license master. The deployment server and license master are running on their own single-purpose instances. The customer would like to start using the Monitoring Console (MC) to monitor the whole environment.
On the MC instance, which instances will need to be configured as distributed search peers by specifying them via the UI using the settings menu?

Answer options

• A. Just the cluster master/master node.
• B. Indexers, search heads, deployment server, license master, cluster master/master node.
• C. Search heads, deployment server, license master, cluster master/master node
• D. Deployment server, license master

Correct answer: C

Explanation

The correct answer is C because the Monitoring Console requires search heads and other components like the deployment server and license master to be configured as distributed search peers to effectively monitor the environment. Options A and D are incorrect as they exclude necessary instances, and option B includes indexers, which aren’t required for the Monitoring Console setup.