When adding a new search head to a search head cluster (SHC), the following scenario occurs:

The new search head connects to the deployer and pulls the most recently deployed bundle. The deployer is a Splunk instance that manages the app configuration bundle for the SHC. The bundle contains the app configurations and knowledge objects that are common to all the search heads in the cluster. The new search head downloads and extracts the bundle to its etc/shcluster/apps directory.

The new search head connects to the captain and replays any recent configuration changes to bring it up to date. The captain is one of the search heads in the cluster that coordinates the cluster activities and maintains the cluster state. The captain keeps track of any configuration changes that are made on any of the cluster members, such as creating or modifying dashboards, reports, alerts, or macros. The new search head requests these changes from the captain and applies them to its own configuration.

By following these steps, the new search head synchronizes its configuration with the rest of the cluster and becomes a fully functional member.

References :

Splunk Core Certified Consultant Test Blueprint

Splunk Documentation: Add a new member to a search head cluster

Splunk Documentation: Deploy apps across a search head cluster

Splunk Documentation: How a search head cluster works

 A [script://] input sends data to a Splunk forwarder using the standard output (STDOUT) and standard error (STDERR) streams of the script. A [script://] input is a type of scripted input that runs an executable script on a Splunk forwarder and indexes the data that the script outputs to STDOUT or STDERR. The script can be written in any scripting language, such as Python, Perl, or shell, and it can perform various tasks, such as querying APIs, databases, or remote data interfaces, and formatting the data for indexing. The Splunk forwarder launches the script at a specified interval and reads the data from its STDOUT or STDERR streams.

The other options are incorrect because they are not the methods that a [script://] input uses to send data to a Splunk forwarder. Option A is incorrect because UDP stream is not a method that a [script://] input uses, but rather a method that a network input uses to receive data from UDP ports. Option B is incorrect because TCP stream is not a method that a [script://] input uses, but rather a method that a network input uses to receive data from TCP ports. Option C is incorrect bec ause temporary file is not a method that a [script://] input uses, but rather a method that a monitor input uses to read data from files or directories.  References :

Splunk Core Consultant knowledge source documents or study guide: https://www.splunk.com/en_us/resources/splunk-certification-exam-study-guide.html

Splunk Test Blueprint Consultant: https://www.splunk.com/en_us/pdfs/training/splunk-test-blueprint-consultant.pdf

Get data from APIs and other remote data interfaces through scripted inputs 1

Configure scripted inputs 2

When Splunk indexes events, it extracts metadata fields such as host, source, and source type from the raw data. These fields are used to identify and categorize the events, and to enable efficient searching and filtering. Splunk also assigns a unique identifier (_cd) and a timestamp (_time) to each event. Splunk does not extract the top 10 fields, perform parsing, merging, and typing processes on universal forwarders, or create report acceleration summaries during indexing. These are separate processes that occur either before or after indexing. Therefore, the correct answer is B. Extracts metadata fields such as host, source, source type.  References :

Splunk Core Certified Consultant Test Blueprint

Splunk Documentation: How Splunk Enterprise indexes data

Splunk Documentation: About default fields

The best practice for ingesting data from a network device that transmits logs directly with UDP or TCP over SSL is to use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier. This method has several advantages, such as:

It reduces the load on the network device by sending the data to a dedicated syslog server.

It provides a reliable and secure transport of data by using TCP over SSL between the syslog server and the heavy forwarder.

It allows the heavy forwarder to parse and enrich the data before sending it to the indexing tier.

It preserves the original timestamp and host information of the data by using the syslog-ng or Splunk Connect for Syslog solutions.

Therefore, the correct answer is C, use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier.  References  :=

Get data from network sources

Use Splunk Connect for Syslog

Configure event processing

Carefully design smaller apps with specific configuration that can be reused. This is the Splunk PS recommendation when using the deployment server and building deployment apps, because it allows for more flexibility, modularity, and efficiency in managing and deploying updates to Splunk Enterprise instances. Smaller apps with specific configuration can be easily reused across different server classes, environments, and use cases, without causing conflicts or redundancies. They can also reduce the size of the deployment bundle and the network bandwidth consumption.

The other options are incorrect because they are not the Splunk PS recommendation when using the deployment server and building deployment apps. Option B is incorrect because deploying only Splunk PS base configurations via the deployment server limits the functionality and customization of the deployment server, as it does not allow for deploying other types of apps, such as add-ons, dashboards, or custom configurations. Option C is incorrect because using $SPLUNK_HOME/etc/system/local configurations on forwarders and only deploying TAs via the deployment server is not a good practice, as it makes the forwarder configuration harder to manage and troubleshoot, and it does not leverage the full potential of the deployment server. Option D is incorrect because carefully designing bigger apps containing multiple configs is not a good practice, as it makes the deployment apps more complex, less reusable, and more prone to errors and conflicts.  References :

Splunk Core Consultant knowledge source documents or study guide: https://www.splunk.com/en_us/resources/splunk-certification-exam-study-guide.html

Splunk Test Blueprint Consultant: https://www.splunk.com/en_us/pdfs/training/splunk-test-blueprint-consultant.pdf

About deployment server and forwarder management 1

Plan a deployment 2