Splunk SPLK-5002 Exam - Topic 3 Question 23 Discussion

Actual exam question for Splunk's SPLK-5002 exam

Question #: 23
Topic #: 3

An engineer observes a delay in data being indexed from a remote location. The universal forwarder is configured correctly.

What should they check next?

AReview forwarder logs for queue blockages.

BIncrease the indexer memory allocation.

COptimize search head clustering.

DReconfigure the props.conf file.

Show Suggested Answer

Suggested Answer: A

If there is a delay in data being indexed from a remote location, even though the Universal Forwarder (UF) is correctly configured, the issue is likely a queue blockage or network latency.

Steps to Diagnose and Fix Forwarder Delays:

Check Forwarder Logs (splunkd.log) for Queue Issues (A)

Look for messages like TcpOutAutoLoadBalanced or Queue is full.

If queues are full, events are stuck at the forwarder and not reaching the indexer.

Monitor Forwarder Health Using metrics.log

Use index=_internal source=*metrics.log* group=queue to check queue performance.

Incorrect Answers: B. Increase the indexer memory allocation -- Memory allocation does not resolve forwarder delays. C. Optimize search head clustering -- Search heads manage search performance, not forwarder ingestion. D. Reconfigure the props.conf file -- props.conf affects event processing, not ingestion speed.

Splunk Forwarder Troubleshooting Guide

Monitoring Forwarder Queue Performance

by Lucy at May 30, 2026, 03:34 AM

Limited Time Offer

25%

Off

Get Premium SPLK-5002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!