Splunk Enterprise Security Certified Analyst — Question 61
The data in Splunk is now subject to auditing and compliance controls. A customer would like to ensure that at least one year of logs are retained for both
Windows and Firewall events. What data retention controls must be configured?
Answer options
- A. maxTotalDataSizeMB and frozenTimePeriodInSecs
- B. coldToFrozenDir and coldToFrozenScript
- C. Splunk Volume and maxTotalDataSizMB
- D. Splunk Volume and frozenTimePeriodInSecs
Correct answer: A
Explanation
The correct answer is A because maxTotalDataSizeMB controls the total size of data kept in Splunk, while frozenTimePeriodInSecs determines how long data is retained before it is frozen. The other options either do not directly relate to the retention period for logs or are not applicable to the requirement of keeping data for at least one year.