Splunk Enterprise Certified Admin Practice Test

Which of the following is NOT a component in the Collection Tier?

• A. Universal Forwarders
• B. Heavy Forwarders
• C. Cluster Manager
• D. Deployment Server

The correct answer is: Cluster Manager

The Collection Tier in Splunk architecture is primarily responsible for collecting and forwarding data from various sources to the indexers for storage and analysis. The components in this tier include forwarders, specifically Universal Forwarders and Heavy Forwarders, which play a critical role in data ingestion. Universal Forwarders are lightweight agents that primarily forward log data to indexers. They are efficient in resource usage and are intended for high-volume data collection. Heavy Forwarders, on the other hand, can perform more data processing tasks, such as filtering events and parsing data before sending it to indexers. In contrast, the Cluster Manager is not a part of the Collection Tier. Instead, it serves to manage indexer clusters, overseeing the replication and availability of the indexed data, ensuring that data is processed and stored reliably, but it does not directly collect or forward data. Deployment Servers are also included in the Collection Tier, as they facilitate the management and deployment of configuration updates to forwarders across the deployment. They essentially help streamline the administration of forwarders to ensure they are properly configured to collect and send data. Thus, the Cluster Manager is the correct answer as its primary function is outside of direct data collection and forwarding, distinguishing it from the other components that are integral to the Collection