Scenario-Based Splunk Admin Questions and Answers   1. Scenario: High Disk Usage on Indexer Node Q: Your Splunk indexer is consuming disk rapidly. How would you troubleshoot and resolve this? A: 1.       Check index sizes: Use: 2.            | dbinspect index=*  or du -sh /opt/splunk/var/lib/splunk/* 3.       Review index retention settings: Check indexes.conf for maxTotalDataSizeMB and frozenTimePeriodInSecs . 4.       Archive or delete old data: Use coldToFrozenDir to move data to external storage. Configure cold and frozen paths to reduce disk usage. 5.       Implement data lifecycle policies: Reduce retention or filter logs at ingestion time with props and transforms.   2. Scenario: Forwarders Not Sending Data Q: A group of Universal Forwarders suddenly stopped sending d...