Splunk Enterprise Security Certified Analyst — Question 59

Which configuration item should be set to false to significantly improve data ingestion performance?

Answer options

• A. AUTO_KV_JSON
• B. BREAK_ONLY_BEFORE_DATE
• C. SHOULD_LINEMERGE
• D. ANNOTATE_PUNCT

Correct answer: C

Explanation

Disabling SHOULD_LINEMERGE allows the system to process data more quickly by avoiding the overhead of combining lines. The other options, while important, do not have as significant an impact on ingestion performance when set to false.