Splunk Enterprise Security Certified Analyst — Question 41

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week's worth of data and are quite sensitive to search performance.
Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

Answer options

• A. frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
• B. maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
• C. maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
• D. frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

Correct answer: A

Explanation

The correct answer is A because it includes the necessary settings to manage data retention and performance effectively, such as frozenTimePeriodInSecs to define how long data is kept and maxHotBuckets to control the number of hot buckets. The other options do not provide the complete necessary settings to balance data retention and search performance optimally.