Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Splunk Exam SPLK-5002 Topic 1 Question 4 Discussion

Actual exam question for Splunk's SPLK-5002 exam
Question #: 4
Topic #: 1
[All SPLK-5002 Questions]

An engineer observes a delay in data being indexed from a remote location. The universal forwarder is configured correctly.

What should they check next?

Show Suggested Answer Hide Answer
Suggested Answer: A

If there is a delay in data being indexed from a remote location, even though the Universal Forwarder (UF) is correctly configured, the issue is likely a queue blockage or network latency.

Steps to Diagnose and Fix Forwarder Delays:

Check Forwarder Logs (splunkd.log) for Queue Issues (A)

Look for messages like TcpOutAutoLoadBalanced or Queue is full.

If queues are full, events are stuck at the forwarder and not reaching the indexer.

Monitor Forwarder Health Using metrics.log

Use index=_internal source=*metrics.log* group=queue to check queue performance.

Incorrect Answers: B. Increase the indexer memory allocation -- Memory allocation does not resolve forwarder delays. C. Optimize search head clustering -- Search heads manage search performance, not forwarder ingestion. D. Reconfigure the props.conf file -- props.conf affects event processing, not ingestion speed.


Splunk Forwarder Troubleshooting Guide

Monitoring Forwarder Queue Performance

by Judy at Mar 20, 2025, 04:28 PM

Limited Time Offer

25%

Off

Get Premium SPLK-5002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Makeda
13 days ago
Hey, did you hear about the programmer who was caught stealing cookies from the computer lab? He got caught because he left a few crumbs in the keyboard. Talk about a cookie monster!
upvoted 0 times
...
Tamesha
20 days ago
Reconfiguring the props.conf file? Nah, man, that's not the issue here. Check the logs, that's the way to go.
upvoted 0 times
...
Annelle
22 days ago
Search head clustering? That's overkill for a simple data indexing delay. I'd go with option A and review the forwarder logs.
upvoted 0 times
...
Deonna
24 days ago
Increasing the indexer memory allocation? I don't think that's the right approach here. Probably need to look at the forwarder logs.
upvoted 0 times
...
Portia
27 days ago
I think reconfiguring the props.conf file might be necessary to resolve the issue.
upvoted 0 times
...
Karma
28 days ago
Hmm, seems like the forwarder is configured correctly, so I'd check the logs for any queue blockages first.
upvoted 0 times
An
4 days ago
User 3: Reconfigure the props.conf file.
upvoted 0 times
...
Jame
6 days ago
User 2: Increase the indexer memory allocation.
upvoted 0 times
...
Cheryll
7 days ago
User 1: Check the forwarder logs for queue blockages.
upvoted 0 times
...
...
Billye
1 months ago
I believe increasing the indexer memory allocation could also help with the delay.
upvoted 0 times
...
Elise
1 months ago
I agree with Junita, checking the forwarder logs is the next step.
upvoted 0 times
...
Junita
1 months ago
I think we should review forwarder logs for queue blockages.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77