Exam SPLK-1004 topic 1 question 51 discussion

A distributable streaming command in Splunk is executed on the indexer when all preceding commands in the search pipeline are also distributable streaming commands or commands that can run on the indexer. These commands process data in parallel across indexers and do not require centralized processing by the search head.

C - https://docs.splunk.com/Documentation/Splunk/9.3.1/Search/Typesofcommands

It has nothing to do with streamstats. A streaming command operates on each event returned by a search. For distributable streaming, the order of the events does not matter. A distributable streaming command is a command that can be run on the indexer, which improves processing time. The other commands in a search determine if the distributable streaming command is run on the indexer: If all of the commands before the distributable streaming command can be run on the indexer, the distributable streaming command is run on the indexer. If any one of the commands before the distributable streaming command must be run on the search head, the remaining commands in the search must be run on the search head. When the search processing moves to the search head, it can't be moved back to the indexer.

No, B is the correct answer. A distributable streaming command is a search command that can be executed on the indexer instead of the search head. This can improve search performance by reducing the amount of data that needs to be sent over the network. The streamstats command is a distributable streaming command that can be executed on the indexer if all preceding search commands are also executed on the indexer. This is because streamstats requires access to the raw event data, which is not available on the search head. Therefore, if all preceding search commands are executed on the indexer, and a streamstats command is used, the streamstats command will be executed on the indexer.