Splunk Exam SPLK-1005 Topic 10 Question 6 Discussion

Actual exam question for Splunk's SPLK-1005 exam

Question #: 6
Topic #: 10

A monitor has been created in inputs. con: for a directory that contains a mix of file types.

How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

AOn the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.

BOn the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props. conf that assigns a specific sourcetype by source stanza.

COn the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props, com that filters out unwanted files.

DOn the forwarder collecting the data, set multiple 3ourcotype_sourc attributes for the directory monitor collecting the files. Then create a props. conf that filters out unwanted files.

Show Suggested Answer

Suggested Answer: B

When dealing with a directory containing a mix of file types, it's essential to fine-tune the sourcetypes for different files to ensure accurate data parsing and indexing.

B . On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza: This is the correct answer. In this approach, the Universal Forwarder is set up with a directory monitor where the sourcetype is initially left as automatic. Then, a props.conf file is configured to specify different sourcetypes based on the source (filename or path). This ensures that as the data is collected, it is appropriately categorized by sourcetype according to the file type.

Splunk Documentation Reference:

Configuring Inputs and Sourcetypes

Fine-tuning sourcetypes

by Maybelle at Oct 21, 2024, 06:16 PM

Limited Time Offer

25%

Off

Get Premium SPLK-1005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Lynelle

3 months ago

Option A looks good, but I can't help but wonder if the indexer is secretly a sentient being that will rebel against our attempts to fine-tune its behavior.

upvoted 0 times

Kristin

2 months ago

User 3: Haha, I don't think the indexer is secretly plotting against us!

upvoted 0 times

...

Ivette

2 months ago

User 2: I agree, it's important to have control over how the data is parsed.

upvoted 0 times

...

Cyndy

3 months ago

User 1: Option A sounds like the best approach for fine-tuning sourcetypes.

upvoted 0 times

...

Nicolette

3 months ago

Hold up, are we sure these are the only options? Where's the option to just use a Python script to automate the whole process and save us the headache?

upvoted 0 times

...

Apolonia

3 months ago

Hmm, Option D seems a bit convoluted. Why bother messing with the forwarder when you can just handle it at the indexer?

upvoted 0 times

Penney

3 months ago

Hmm, Option D seems a bit convoluted. Why bother messing with the forwarder when you can just handle it at the indexer?

upvoted 0 times

...

Graciela

3 months ago

C) On the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.

upvoted 0 times

...

Carylon

3 months ago

B) On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.

upvoted 0 times

...

Devon

3 months ago

A) On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.

upvoted 0 times

...

Noah

4 months ago

I'd go with Option B. Leaving the sourcetype as automatic on the forwarder and then using props.conf to assign specific sourcetypes sounds like a cleaner solution.

upvoted 0 times

...