Splunk internal logs are stored in the SPLUNK_HOME/var/log/splunk directory by default. The default log size for Splunk internal logs is 25 MB, which means that when a log file reaches 25 MB, Splunk rolls it to a backup file and creates a new log file. The default number of backup files is 5, which means that Splunk keeps up to 5 backup files for each log file

In the context of splunkd.log events written to the _internal index, the field that identifies the specific log channel is the " channel " field. This information is confirmed by the Splunk Common Information Model (CIM) documentation, where " channel " is listed as a field name associated with Splunk Audit Logs​​.

The correct answer is C. 100 GB per day. This is the expected minimum amount of storage required for data across an indexer cluster with the given input and parameters. The storage requirement can be calculated by adding the raw data size and the index files size, and then multiplying by the Replication Factor and the Search Factor1. In this case, the calculation is:

(15 GB + 35 GB) x 2 x 2 = 100 GB

The Replication Factor is the number of copies of each bucket that the cluster maintains across the set of peer nodes2. The Search Factor is the number of searchable copies of each bucket that the cluster maintains across the set of peer nodes3. Both factors affect the storage requirement, as they determine how many copies of the data are stored and searchable on the indexers. The other options are not correct, as they do not match the result of the calculation. Therefore, option C is the correct answer, and options A, B, and D are incorrect.

1: Estimate storage requirements 2: About indexer clusters and index replication 3: Configure the search factor

According to the Splunk documentation1, metrics.log is a file that contains various metrics data for reviewing product behavior, such as pipeline, queue, thruput, and tcpout_connections. Metrics.log is stored in the _internal index by default2, which is a special index that contains internal logs and metrics for Splunk Enterprise. The other options are false because:

main is the default index for user data, not internal data3.

_telemetry is an index that contains data collected by the Splunk Telemetry feature, which sends anonymous usage and performance data to Splunk4.

_introspection is an index that contains data collected by the Splunk Monitoring Console, which monitors the health and performance of Splunk components.

Migration from single-site to multisite index replication only affects new data, not existing data. Multisite policies apply to new data only, meaning that data that is ingested after the migration will follow the multisite replication and search factors. Existing data, or data that was ingested before the migration, will retain the single-site policies, unless they are manually converted to multisite buckets. Single-site buckets do not instantly receive the multisite policies, nor do they automatically convert to multisite buckets. Multisite total values can exceed any single-site factors, as long as they do not exceed the number of peer nodes in the cluster. A master node is not required at each site, only one master node is needed for the entire cluster

The __introspection log file contains data about the impact of the Splunk software on the host system, such as CPU, memory, disk, and network usage, as well as KV store performance1. This log file is monitored by default and the contents are sent to the _introspection index1. The other options are not related to the __introspection log file. File monitor input configurations are stored in inputs.conf2. File monitor checkpoint offset is stored in fishbucket3. User activities and knowledge objects are stored in the _audit and _internal indexes respectively4.

The curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus command is used to check the status of the tailed files when troubleshooting monitor inputs. Monitor inputs are inputs that monitor files or directories for new data and send the data to Splunk for indexing. The TailingProcessor:FileStatus endpoint returns information about the files that are being monitored by the Tailing Processor, such as the file name, path, size, position, and status. The splunk cmd btool inputs list | tail command is used to list the inputs configurations from the inputs.conf file and pipe the output to the tail command. The splunk cmd btool check inputs layer command is used to check the inputs configurations for syntax errors and layering. The curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus command does not exist, and it is not a valid endpoint.

Splunk Enterprise documentation clearly states that the best method to secure log traffic between Universal Forwarders (UFs) and Indexers is to implement Transport Layer Security (TLS) using signed SSL certificates. When Universal Forwarders send data to Indexers, this communication can be encrypted using SSL/TLS to prevent eavesdropping, data tampering, or interception while in transit.

Splunk provides default self-signed certificates out of the box, but these are only for testing or lab environments and should not be used in production. Production-grade security requires custom, signed SSL certificates — either from an internal Certificate Authority (CA) or a trusted public CA. These certificates validate both the sender (forwarder) and receiver (indexer), ensuring data integrity and authenticity.

In practice, this involves:

Generating or obtaining CA-signed certificates.

Configuring the forwarder’s outputs.conf to use SSL encryption (sslCertPath, sslPassword, and sslRootCAPath).

Configuring the indexer’s inputs.conf and server.conf to require and validate client certificates.

This configuration ensures end-to-end encryption for all log data transmitted from forwarders to indexers.

Routing traffic through a WAF (Option C) does not provide end-to-end encryption for Splunk’s internal communication, and securing search head–to–indexer communication (Option D) is unrelated to forwarder data flow.

References (Splunk Enterprise Documentation):

• Securing Splunk Enterprise: Encrypting Data in Transit Using SSL/TLS

• Configure Forwarder-to-Indexer Encryption

• Server and Forwarder Authentication with Signed Certificates

• Best Practices for Forwarder Management and Security Configuration

The master node is the Splunk server role that regulates the functioning of the indexer cluster. The master node coordinates the activities of the peer nodes, such as data replication, data searchability, and data recovery. The master node also manages the cluster configuration bundle and distributes it to the peer nodes. The indexer is the Splunk server role that indexes the incoming data and makes it searchable. The deployer is the Splunk server role that distributes apps and configuration updates to the search head cluster members. The monitoring console is the Splunk server role that monitors the health and performance of the Splunk deployment. For more information, see About indexer clusters and index replication in the Splunk documentation.

This is a mandatory Splunk component when implementing a search head cluster, as it is responsible for distributing the configuration updates and app bundles to the cluster members1. The deployer is a separate instance that communicates with the cluster manager and pushes the changes to the search heads1. The other options are not mandatory components for a search head cluster. Option A, Captain Server, is not a component, but a role that is dynamically assigned to one of the search heads in the cluster2. The captain coordinates the replication and search activities among the cluster members2. Option C, Cluster Manager, is a component for an indexer cluster, not a search head cluster3. The cluster manager manages the replication and search factors, and provides a web interface for monitoring and managing the indexer cluster3. Option D, RAFT Server, is not a component, but a protocol that is used by the search head cluster to elect the captain and maintain the cluster state4. Therefore, option B is the correct answer, and options A, C, and D are incorrect.

1: Use the deployer to distribute apps and configuration updates 2: About the captain 3: About the cluster manager 4: How a search head cluster works