Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk Exam SPLK-5002 Topic 1 Question 4 Discussion

Actual exam question for Splunk's SPLK-5002 exam
Question #: 4
Topic #: 1
[All SPLK-5002 Questions]

An engineer observes a delay in data being indexed from a remote location. The universal forwarder is configured correctly.

What should they check next?

Show Suggested Answer Hide Answer
Suggested Answer: A

If there is a delay in data being indexed from a remote location, even though the Universal Forwarder (UF) is correctly configured, the issue is likely a queue blockage or network latency.

Steps to Diagnose and Fix Forwarder Delays:

Check Forwarder Logs (splunkd.log) for Queue Issues (A)

Look for messages like TcpOutAutoLoadBalanced or Queue is full.

If queues are full, events are stuck at the forwarder and not reaching the indexer.

Monitor Forwarder Health Using metrics.log

Use index=_internal source=*metrics.log* group=queue to check queue performance.

Incorrect Answers: B. Increase the indexer memory allocation -- Memory allocation does not resolve forwarder delays. C. Optimize search head clustering -- Search heads manage search performance, not forwarder ingestion. D. Reconfigure the props.conf file -- props.conf affects event processing, not ingestion speed.


Splunk Forwarder Troubleshooting Guide

Monitoring Forwarder Queue Performance

by Judy at Mar 20, 2025, 04:28 PM

Limited Time Offer

25%

Off

Get Premium SPLK-5002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Annelle
1 days ago
Search head clustering? That's overkill for a simple data indexing delay. I'd go with option A and review the forwarder logs.
upvoted 0 times
...
Deonna
3 days ago
Increasing the indexer memory allocation? I don't think that's the right approach here. Probably need to look at the forwarder logs.
upvoted 0 times
...
Portia
6 days ago
I think reconfiguring the props.conf file might be necessary to resolve the issue.
upvoted 0 times
...
Karma
7 days ago
Hmm, seems like the forwarder is configured correctly, so I'd check the logs for any queue blockages first.
upvoted 0 times
...
Billye
12 days ago
I believe increasing the indexer memory allocation could also help with the delay.
upvoted 0 times
...
Elise
15 days ago
I agree with Junita, checking the forwarder logs is the next step.
upvoted 0 times
...
Junita
16 days ago
I think we should review forwarder logs for queue blockages.
upvoted 0 times
...

Save Cancel