This is a very tricky question.
Answer C is questionable.
Architecting PDF pages141 and 143 states that Indexing time improves significantly by including the ANNOTATE_PUNCT parameter.
Troubleshooting PDF page 52 shows the "Great 8" rules per sourcetype will maximize the indexing performance, but they don't include the ANNOTATE_PUNCT parameter.
I will just SAY BCD are the correct ones and left this
Annotation Processor configured
ANNOTATE_PUNCT = <boolean>
* Determines whether to index a special token starting with "punct::"
* The "punct::" key contains punctuation in the text of the event.
It can be useful for finding similar events
* If it is not useful for your dataset, or if it ends up taking
too much space in your index it is safe to disable it
* Default: true
Nothing in Splunk's docs specifically say that ANNOTATE_PUNCT will improve performance (it obviously will but so will a ton of other settings, and it's negligible), whereas it's consistently called out that LINE_BREAKER and SHOULD_LINEMERGE go hand in hand and will affect performance greatly.
Is the exam tricking us?
from props.conf:
* NOTE: You get a significant boost to processing speed when you use
LINE_BREAKER to delimit multi-line events (as opposed to using
SHOULD_LINEMERGE to reassemble individual lines into multi-line events).
* When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set
to false, to ensure no further combination of delimited events occurs.
Answers are B, C and D:
ANNOTATE_PUNCT (AP) and SHOULD_LINEMERGE (LM) which goes hand-in-hand with LINE_BREAKER (LB).
See chapter "Tune props.conf" of Architecting Splunk Enterprise Deployment. The best indexing pipelines test results are when AP and LM (so LB too) are configured.
Answer should be C and D
ANNOTATE_PUNCT = <boolean> * If it is not useful for your dataset, or if it ends up taking
too much space in your index it is safe to disable it * Default: true
Answer CD was right. 1) The REPORT option is used to order stanzas when extracting fields 2) ANNOTATE_PUNKT extracts punctuation characters from events (and doesn't influence common performance) 3) LINE_BREAKER helps to separate multi-line events to different lines (improves performance) 4) SHOULD_LINEMERGE combines lines of data to multiline events (decreases performance). Source: https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Propsconf
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ChantreyC
Highly Voted 3 years, 10 months agodpharker
Highly Voted 2 years, 7 months agomarinatedcohort
1 year, 1 month agobobixaka
Most Recent 10 months, 1 week agoUntaked
10 months, 3 weeks agofrappe
2 years, 4 months agoRedYeti
2 years, 7 months agomanu78
3 years, 8 months agosunil299
3 years, 10 months agoNew_user
3 years, 9 months agoSasnycoN
2 years, 9 months ago