Which of the following are deployment recommendations for ITSI? (Choose all that apply.)

Which of the following are deployment recommendations for ITSI? (Choose all that apply.)
A . Deployments often require an increase of hardware resources above base Splunk requirements.
B . Deployments require a dedicated ITSI search head.
C . Deployments may increase the number of required indexers based on the number of KPI searches.
D . Deployments should use fastest possible disk arrays for indexers.

View Answer

Answer: A, B, C

Explanation:

You might need to increase the hardware specifications of your own Enterprise Security deployment above the minimum hardware requirements depending on your environment. Install Splunk Enterprise Security on a dedicated search head or search head cluster.

The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.

Reference: https://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning

A, B, and C are correct answers because ITSI deployments often require more hardware resources than base Splunk requirements due to the high volume of data ingestion and processing. ITSI deployments also require a dedicated search head that runs the ITSI app and handles all ITSI-related searches and dashboards. ITSI deployments may also increase the number of required indexers based on the number and frequency of KPI searches, which can generate a large amount of summary data.

Reference: ITSI deployment overview, ITSI deployment planning