Splunk Enterprise Security Certified Analyst — Question 48

A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users' ability to view historic scheduled search results if they log onto a search head which doesn't contain one of the 2 copies of a given search artifact.
Which of the following statements best describes what would happen in this scenario?

Answer options

• A. The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use.
• B. Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results.
• C. The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads.
• D. The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads.

Correct answer: A

Explanation

The correct answer, A, is accurate because the search head will proxy the artifact from another search head that holds it, ensuring the user can access the required search results. Option B is incorrect as the user can still access the results through proxying. Option C is misleading because a restart is unnecessary for synchronization, and D is incorrect as the apply shcluster-bundle command is not needed for this scenario.