Splunk Enterprise Security Certified Analyst — Question 39

A customer has three users and is planning to ingest 250GB of data per day. They are concerned with search uptime, can tolerate up to a two-hour downtime for the search tier, and want advice on single search head versus a search head cluster. (SHC).
Which recommendation is the most appropriate?

Answer options

• A. The customer should deploy two active search heads behind a load balancer to support HA.
• B. The customer should deploy a SHC with a single member for HA; more members can be added later.
• C. The customer should deploy a SHC, because it will be required to support the high volume of data.
• D. The customer should deploy a single search head with a warm standby search head and an rsync process to synchronize configurations.

Correct answer: D

Explanation

Option D is the correct choice because it provides a warm standby solution that meets the customer's downtime tolerance while ensuring data synchronization. Option A suggests two active search heads, which may be unnecessary for their requirements, while B proposes a single-member SHC that wouldn't fully utilize the cluster's benefits. Option C is incorrect as a SHC is not essential given their downtime tolerance and existing load.