Using Splunk docs URL reference https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch
Parallel reduce search processing
If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.
B. Peers run search in parallel.
Distributed search allows a search to be split across multiple indexers and searched in parallel, significantly reducing search time. Additionally, distributed search provides resilience from search head failure, as the search can be restarted from another search head in the cluster.
Distributed search provides horizontal scaling, so that a single Splunk Enterprise deployment can search and index arbitrarily large amounts of data. Distributed search is also useful for correlating data across data silos.
https://docs.splunk.com/Splexicon:Distributedsearch
Answer B system admin "distributed Search"
Users log on to the search head and run reports–The search head dispatches searches to the peers–Peers run searches in parallel and return their portion of results–The search head consolidates the individual results and prepares reports
B is correct. as per document Sys Admin documentation page 190. C and D are incorrect because the question does not mention about clusters. A is not correct, I've never heard about search in sequence on peers.
I think B and C are correct.
According to SysAdmin pdf in Module 10: Distributed Search "when an indexer goes down:
– The offline indexer does not participate in searches;
– The remaining indexers handle all indexing and searches"
=> the very definition of "C. Resilience from indexer failure."
But other indexers won't have the data, that would be otherwise in the indexer that went down. Indeed, in the indexer, even if one indexer would go down, other indexers (if it was properly configurated) would have the same copies of data.
Because when you search the data you are searching for could be on one or more indexers. So if half your forwarders send to indexer A and half to indexer B, when you run a search across a sourcetype it would run in parallel across multiple indexers
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jgab
Highly Voted 3 years, 6 months agoucsdmiami2020
2 years, 7 months agoadamsca
Most Recent 10 months, 2 weeks agokolaturka
1 year, 1 month agotoney_mu
1 year, 3 months agomngesha
1 year, 3 months agosplunkuser03
1 year, 4 months agoMando22
1 year, 7 months agoemlch
1 year, 8 months agoemlch
1 year, 8 months agotoney_mu
1 year, 3 months agosplunkkid
1 year, 10 months agodenominator
1 year, 11 months agodenominator
1 year, 11 months agotomod1
2 years agoBlueRoselia
2 years, 2 months agoSalman23
2 years, 7 months agoHudda
2 years, 10 months agoPaulT
2 years, 11 months agolilsem
2 years, 8 months agolilsem
2 years, 8 months agogsplunker
3 years, 3 months agogsplunker
3 years, 3 months agoTeeCeeP
3 years, 4 months agomybox1
3 years, 4 months agoPaulT
2 years, 11 months agoAngusBlack
2 years, 10 months ago