Splunk Enterprise Certified Admin Practice Test

Which of the following statements is true regarding time synchronization in Splunk?

• A. It is not best-practice to use a time synchronization service such as NTP
• B. Splunk services do not depend on accurate time
• C. Clock skew between hosts can affect search results
• D. Indexers and production servers do not need standardized time config

The correct answer is: Clock skew between hosts can affect search results

The statement that clock skew between hosts can affect search results is correct because accurate time synchronization is crucial for the integrity of data in Splunk. When the clocks on different servers are not synchronized, it can lead to inconsistencies in log timestamps. This inconsistency can ultimately impact search results because searches in Splunk are typically time-based. Relying on logs that have timestamps from different time zones or that are affected by latency can result in misaligned data, making it difficult to analyze events in a coherent timeline. Having synchronized time ensures that all data ingested into Splunk maintains its correct order and relevance, particularly in environments where multiple sources of data are involved. This standardization is especially important for correlated events that rely on precise timing to understand the sequence of operations and incident responses. Other options suggest practices that can lead to poor data management within Splunk environments, indicating a lack of focus on best practices in time synchronization. Implementing a time synchronization service such as NTP (Network Time Protocol) is crucial to maintaining operational integrity in distributed systems like Splunk installations.