ExamGecko
Search Search Login
Home Home / Splunk / SPLK-2002
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

How can internal logging levels in a Splunk environment be changed to troubleshoot an issue? (select all that apply)
What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)
Stakeholders have identified high availability for searchable data as their top priority. Which of the following best addresses this requirement?
When should a Universal Forwarder be used instead of a Heavy Forwarder?
To expand the search head cluster by adding a new member, node2, what first step is required?
A customer has installed a 500GB Enterprise license. They also purchased and installed a 300GB, no enforcement license on the same license master. How much data can the customer ingest before the search is locked out?
Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?
Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?
Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)
What does setting site=site0 on all Search Head Cluster members do in a multi-site indexer cluster?

Question 160 - SPLK-2002 discussion

Report
Export

When should a Universal Forwarder be used instead of a Heavy Forwarder?

A.

When most of the data requires masking.

Answers
A.

When most of the data requires masking.

B.

When there is a high-velocity data source.

Answers
B.

When there is a high-velocity data source.

C.

When data comes directly from a database server.

Answers
C.

When data comes directly from a database server.

D.

When a modular input is needed.

Answers
D.

When a modular input is needed.

Suggested answer: B

Explanation:

According to the Splunk blog1, the Universal Forwarder is ideal for collecting data from high-velocity data sources, such as a syslog server, due to its smaller footprint and faster performance. The Universal Forwarder performs minimal processing and sends raw or unparsed data to the indexers, reducing the network traffic and the load on the forwarders. The other options are false because:

When most of the data requires masking, a Heavy Forwarder is needed, as it can perform advanced filtering and data transformation before forwarding the data2.

When data comes directly from a database server, a Heavy Forwarder is needed, as it can run modular inputs such as DB Connect to collect data from various databases2.

When a modular input is needed, a Heavy Forwarder is needed, as the Universal Forwarder does not include a bundled version of Python, which is required for most modular inputs2.

Show Answer
asked 13/11/2024
Henock Asmerom
34 questions
PreviousPrevious
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms