Index name Purpose
_internal To index Splunk’s own logs and metrics
_audit To store Splunk audit trails and other optional
auditing information
_introspection To track system performance, Splunk resource usage data,
and provide Monitoring Console (MC) with performance data
_thefishbucket To contain checkpoint information for file monitoring inputs
summary Default index for summary indexing system
main Default index for inputs; located in the defaultdb directory
B and D
_internal
To index Splunk’s own logs and metrics
_audit
To store Splunk audit trails and other optional auditing information
_introspection
To track system performance, Splunk resource usage data, and provide Monitoring Console (MC) with performance data
_thefishbucket
To contain checkpoint information for file monitoring inputs
summary
Default index for summary indexing system
main
Default index for inputs; located in the defaultdb directory
B, D are the correct answer. After installing Splunk 8.2 on my local machine I checked the default indexes.conf, and there is the fishbucket index configured.
Agreed B and D. Quoting the Splunk Reference URL https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html
"t’s time for a little Indexing 101. If you look in the directory where your Splunk datastore resides (default location /opt/splunk/var/lib/splunk) you will find a directory called fishbucket. This index is not really intended for normal humans to investigate, more just Splunk engineers trying to decipher file input issues. It contains seek pointers and CRCs for the files you are indexing, so splunkd can tell if it has read them already. To see what’s there, try searching for “index=_thefishbucket”. Events look something like this:"
I believe the only answer is B.
The other preconfigured indexes are:
main: The default Splunk Enterprise index. All processed external data is stored here unless otherwise specified.
_internal: This index includes Splunk Enterprise internal logs.
_metrics: This index contains Splunk Enterprise internal data, stored in the form of metric data points.
_audit: Events from the file system change monitor, auditing, and all user search history.
_introspection: This index provides data about the Splunk Enterprise instance and environment .
https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Aboutmanagingindexes
Splunk Enterprise comes with a number of preconfigured indexes, including:
main: This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.
_internal: Stores Splunk Enterprise internal logs and processing metrics.
_audit: Contains events related to the file system change monitor, auditing, and all user search history.
Since the only choice available is "_internal" the answer is B.
Ref: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Howindexingworks
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ChantreyC
Highly Voted 4 years agoSandy_1988
Highly Voted 4 years agoMonicaKarim
Most Recent 5 days, 8 hours ago65aab2c
3 months, 1 week agosamsam5136431
6 months, 2 weeks agoallahsal
10 months, 4 weeks agoHNaka
12 months agoadamsca
1 year, 9 months agooswaldek
2 years, 1 month agoSteve2610
2 years, 5 months agohuu_nguyen
2 years, 11 months agoApis
3 years agolilsem
3 years, 4 months agoucsdmiami2020
3 years, 3 months agofuriousjase
3 years, 4 months agoSasnycoN
3 years, 1 month agorodrigok
3 years, 9 months agoShaq007
4 years agojgab
4 years, 2 months agojgab
4 years, 2 months ago