Exam SPLK-1003 topic 1 question 36 discussion

I'm sorry ... D is wrong separator is ';' (not permitted) instead ','

D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

[distributedSearch:NYC] # This stanza lists the set of search peers in New York. default = false servers = 192.168.1.1:8089, 192.168.1.2:8089

The correct answer is: B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089 Explanation: In Splunk, to configure distributed search groups, you must use the correct stanza format and port configuration in the distsearch.conf file. The valid configuration follows these rules: Stanza: [searchGroup:<group_name>] default: Specifies whether the group is the default search group. servers: Lists search peers with their management ports (default port is 8089) separated by commas. Therefore, B correctly follows this format with the stanza [searchGroup:Paris], default set to false, and servers listed with the proper port (8089).

Is D but the separator in incorrect

as per latest splunk document https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups option is D

D is the answer but there's a typo in the answer. It should be ',' not ';'

D is the answer https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Distsearchconf

D is the correct answer, however with a typo I checked and you have to provide port number, otherwise you get the following error: Failed to parse uri for peer:Paris. This search peer will be ignored.

B and C are definitely wrong. A is not correct since no port number is given, and that is required. See https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Distsearchconf Distributed Search Group Definitions: servers = <comma-separated list> * A list of search peers that are members of this group. * The list must use peer identifiers (i.e. hostname:port) Answer D must be a typo, and supposed to show a comma and not a semi colon. In that case it is correct.

It is A, read the documentation : "The servers attribute lists groups of search peers by IP address and management port" , so a server always contains already a port, it is not listed as a seperate attribute.

The answer is B.. Refer link - https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

I just tested this and a port is required. So, with given choices I would go with D

distsearch.conf specification says: servers = <comma-separated list> * An initial list of servers. * Each member of this list must be a valid URI in the format of scheme://hostname:port I haven't tested, but in my understanding the port value is needed, and in that case it couldn't be alternative A. The separator ";" in alternative D makes it wrong too (maybe a test typo?), although it certainly would be the correct one if the separator was a comma.

A is the correct one correct stanza name -> [distributedSearch:xxxx] correct separator -> , servers listed don't need to have the port defined, and Splunk will use the default attribute listed in distsearch.conf.spec https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Distsearchconf#distsearch.conf.example

The correct answer is D. The stanza is <DS1_IP:8089>, <DS2_IP:8089>,....

I think it is "D" <<The servers attribute lists groups of search peers by IP address and management port>>