Splunk Enterprise Security Certified Analyst — Question 82

A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations.
Which of the following would be the least expensive and easiest way to improve search performance?

Answer options

• A. Configure site_search_factor to ensure a searchable copy exists in the local site for each search head.
• B. Move all indexers and search heads in one of the data centers into the same site.
• C. Install a network pipe with more bandwidth between the two data centers.
• D. Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

Correct answer: A

Explanation

The correct answer is A because configuring the site_search_factor allows for local copies of indexed data, reducing the need for cross-site communication, which is affected by limited bandwidth. Option B would require significant changes to the architecture and may not be feasible. Option C, while potentially effective, involves high costs and isn't the easiest solution. Option D does not address the underlying issue of inter-site communication delays.