The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=* What field can the administrator check to see the data distribution?
Agreed it's D. Quoting the Splunk Reference URL https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields
splunk_server
The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment.
Example: Restrict a search to the main index on a server named remote.
splunk_server=remote index=main 404
not sure if splunk_server would be the silver bullet to get the data distribution. splunk_server would help to filter events based on indexer server for latency purposes as described in this link and is best positioned for the answer in this case.
D would be the closest answer in my humble opinion.
https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Searchdistributedpeers
I would say A is correct, When you perform a search and reporting app and get results, you will see on the left side selected fields if you click on hosts you will get all indexers link to the searchhead with the count and percentages according the search results.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
gsplunker
Highly Voted 2 years, 8 months agoucsdmiami2020
2 years agomngesha
Most Recent 8 months, 2 weeks agodenominator
1 year, 4 months agodenominator
1 year, 4 months agoSalman23
2 years, 1 month agoTeeCeeP
2 years, 9 months agoleiot
2 years, 10 months agonewrose
2 years, 10 months agonunxyo
2 years, 10 months ago