Splunk Exam SPLK-1005 Topic 10 Question 6 Discussion

Actual exam question for Splunk's SPLK-1005 exam

Question #: 6
Topic #: 10

A monitor has been created in inputs. con: for a directory that contains a mix of file types.

How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

AOn the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.

BOn the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props. conf that assigns a specific sourcetype by source stanza.

COn the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props, com that filters out unwanted files.

DOn the forwarder collecting the data, set multiple 3ourcotype_sourc attributes for the directory monitor collecting the files. Then create a props. conf that filters out unwanted files.

Show Suggested Answer

Suggested Answer: B

When dealing with a directory containing a mix of file types, it's essential to fine-tune the sourcetypes for different files to ensure accurate data parsing and indexing.

B . On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza: This is the correct answer. In this approach, the Universal Forwarder is set up with a directory monitor where the sourcetype is initially left as automatic. Then, a props.conf file is configured to specify different sourcetypes based on the source (filename or path). This ensures that as the data is collected, it is appropriately categorized by sourcetype according to the file type.

Splunk Documentation Reference:

Configuring Inputs and Sourcetypes

Fine-tuning sourcetypes

by Maybelle at Oct 21, 2024, 06:16 PM

Limited Time Offer

25%

Off

Get Premium SPLK-1005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Noah

15 days ago

I'd go with Option B. Leaving the sourcetype as automatic on the forwarder and then using props.conf to assign specific sourcetypes sounds like a cleaner solution.

upvoted 0 times

...