ExamTopics Logo
Mail Us[email protected]
Menu
Splunk Discussions
exam questions

Exam SPLK-3003 All Questions

View all questions & answers for the SPLK-3003 exam
Go to Exam

Exam SPLK-3003 topic 1 question 57 discussion

Actual exam question from Splunk's SPLK-3003
Question #: 57
Topic #: 1
[All SPLK-3003 Questions]

A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf.
After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.
What can the customer do to resolve the issue?

  • A. The search needs to be modified to ensure the lookup command specifies parameter local=true.
  • B. The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true.
  • C. The search needs to be modified to ensure the lookup command specified parameter blacklist=false.
  • D. The lookup cannot be blacklisted; the change must be reverted.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by jbabbin at Jan. 30, 2021, 4:07 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pbandj12
Highly Voted 3 years, 4 months ago
A is correct
upvoted 6 times
...
hpbdcb
Most Recent 1 year ago
Selected Answer: A
well explained by jcisco123 just added as a vote comment
upvoted 1 times
...
jcisco123
1 year, 11 months ago
To resolve the issue, the customer can modify the search to ensure that the lookup command specifies the parameter "local=true". When a lookup is blacklisted in the distsearch.conf file, the lookup file is no longer included in the search bundle and is not available to search peers. As a result, the lookup cannot be used by search peers during distributed searches. However, when the "local=true" parameter is specified in the lookup command, it tells Splunk to perform the lookup locally on the search head, rather than using a distributed search to perform the lookup on the indexers. This means that the lookup file does not need to be present on the search peers, and the search can be successfully executed even if the lookup has been blacklisted. Therefore, the correct answer is A: the customer needs to modify the search to ensure that the lookup command specifies parameter "local=true". Options B and C are not valid solutions to the problem described. Option D is incorrect as lookups can be blacklisted; however, it requires appropriate modifications to searches to avoid errors.
upvoted 2 times
...
jugulinho
3 years, 8 months ago
it's not blaclisted csv, so D is correct
upvoted 1 times
...
jbabbin
4 years ago
Link https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel