Splunk Enterprise Security Certified Analyst — Question 78

A customer has 30 indexers in an indexer cluster configuration and two search heads. They are working on writing SPL search for a particular use-case, but are concerned that it takes too long to run for short time durations.
How can the Search Job Inspector capabilities be used to help validate and understand the customer concerns?

Answer options

• A. Search Job Inspector provides statistics to show how much time and the number of events each indexer has processed.
• B. Search Job Inspector provides a Search Health Check capability that provides an optimized SPL query the customer should try instead.
• C. Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead.
• D. The customer is using the transaction SPL search command, which is known to be slow.

Correct answer: A

Explanation

The correct answer, A, is appropriate because Search Job Inspector offers insights into the processing time and event counts per indexer, helping identify performance bottlenecks. Option B incorrectly suggests that Search Job Inspector can optimize SPL queries, which it cannot. Option C is wrong, as Search Job Inspector can indeed help troubleshoot slow searches. Option D, while mentioning the transaction command, does not address the capabilities of the Search Job Inspector.