Splunk Enterprise Security Certified Analyst — Question 76

In a large cloud customer environment with many (>100) dynamically created endpoint systems, each with a UF already deployed, what is the best approach for associating these systems with an appropriate serverclass on the deployment server?

Answer options

• A. Work with the cloud orchestration team to create a common host-naming convention for these systems so a simple pattern can be used in the serverclass.conf whitelist attribute.
• B. Create a CSV lookup file for each severclass, manually keep track of the endpoints within this CSV file, and leverage the whitelist.from_pathname attribute in serverclass.conf.
• C. Work with the cloud orchestration team to dynamically insert an appropriate clientName setting into each endpoint's local/deploymentclient.conf which can be matched by whitelist in serverclass.conf.
• D. Using an installation bootstrap script run a CLI command to assign a clientName setting and permit serverclass.conf whitelist simplification.

Correct answer: A

Explanation

Option A is the best choice because establishing a common host-naming convention allows for easier management and pattern matching within the serverclass.conf whitelist. Option B is inefficient as it requires manual updates to a CSV file. Option C, while dynamic, complicates the configuration process, and Option D introduces unnecessary complexity by relying on a bootstrap script for clientName assignment.