This is because the bucket freezing process in a clustered indexer is controlled by the cluster master, which ensures that all copies of the bucket are frozen at the same time. This way, the cluster master can maintain the consistency and availability of the data across the cluster, and avoid any conflicts or errors due to mismatched bucket states.
The other options are incorrect because they do not reflect what happens when a bucket rolls from cold to frozen on a clustered indexer. Option A is incorrect because all replicated copies will not be rolled to frozen, while original copies will remain. This would violate the replication factor and search factor settings of the cluster, and cause data loss or unavailability. Option B is incorrect because replicated copies of the bucket will not remain on all other indexers, and the cluster master will not assign a new primary bucket. This would create duplicate and outdated data in the cluster, and cause search inefficiency or inconsistency. Option D is incorrect because nothing will not happen, and replicated copies of the bucket will not remain on all other indexers until a local retention rule causes it to roll. This would create different retention policies for different copies of the same bucket, and cause data fragmentation or corruption. References:
Splunk Core Consultant knowledge source documents or study guide: https://www.splunk.com/en_us/resources/splunk-certification-exam-study-guide.html
Splunk Test Blueprint Consultant: https://www.splunk.com/en_us/pdfs/training/splunk-test-blueprint-consultant.pdf
How indexer clusters handle frozen data1
How Splunk Enterprise handles frozen data2
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit