New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk SPLK-1005 Exam - Topic 4 Question 15 Discussion

Actual exam question for Splunk's SPLK-1005 exam
Question #: 15
Topic #: 4
[All SPLK-1005 Questions]

A monitor has been created in inputs. con: for a directory that contains a mix of file types.

How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

Show Suggested Answer Hide Answer
Suggested Answer: B

When dealing with a directory containing a mix of file types, it's essential to fine-tune the sourcetypes for different files to ensure accurate data parsing and indexing.

B . On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza: This is the correct answer. In this approach, the Universal Forwarder is set up with a directory monitor where the sourcetype is initially left as automatic. Then, a props.conf file is configured to specify different sourcetypes based on the source (filename or path). This ensures that as the data is collected, it is appropriately categorized by sourcetype according to the file type.

Splunk Documentation Reference:

Configuring Inputs and Sourcetypes

Fine-tuning sourcetypes


by Rima at Apr 30, 2025, 02:11 AM

Limited Time Offer

25%

Off

Get Premium SPLK-1005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Gwenn
2 months ago
C is interesting, but I’m not sure it’s the best approach.
upvoted 0 times
...
Yolando
2 months ago
Definitely agree with A, makes the most sense!
upvoted 0 times
...
Ciara
3 months ago
B seems right too, but I prefer A for clarity.
upvoted 0 times
...
Lyla
3 months ago
Wait, can you really set multiple sourcetypes like that? Sounds tricky.
upvoted 0 times
...
Malcolm
3 months ago
I think option A is the way to go.
upvoted 0 times
...
Bonita
3 months ago
I thought we learned that setting multiple sourcetypes could get complicated. I’m leaning towards option B, but I’m not completely confident.
upvoted 0 times
...
Donte
4 months ago
I vaguely recall something about using props.conf to filter out files, but I can't remember if that was for the forwarder or the indexer.
upvoted 0 times
...
Denae
4 months ago
I think we practiced a similar question where we had to decide between automatic sourcetypes and manually setting them. I feel like option A might be the right choice.
upvoted 0 times
...
Felice
4 months ago
I remember we discussed how sourcetypes can be assigned at different stages, but I'm not sure if it should be done on the forwarder or the indexer.
upvoted 0 times
...
Alethea
4 months ago
This is a tricky one. I'm not totally sure about the difference between the forwarder and the indexer in this context. But I think the question is hinting that we want to do the sourcetype configuration on the indexer side, so I'm leaning towards option C. Setting those sourcetype_source attributes and then using props.conf to clean things up.
upvoted 0 times
...
Rory
4 months ago
Okay, I think I've got this. The key is to fine-tune the sourcetypes during the input phase, so that means I should be looking at the forwarder configuration. Option D sounds like the right approach - set multiple sourcetype_source attributes on the forwarder and then use props.conf to filter. Feels like the most comprehensive solution.
upvoted 0 times
...
Beula
5 months ago
Hmm, I'm a bit confused by the wording here. Is the question asking about what to do on the forwarder or the indexer? I'm not sure if I should be looking at the forwarder or the indexer configuration. Maybe I'll just go with option A to play it safe.
upvoted 0 times
...
Benton
5 months ago
This seems like a pretty straightforward question about configuring sourcetypes for a directory monitor. I think I'd go with option C - setting multiple sourcetype_source attributes on the indexer and then using props.conf to filter out any unwanted file types.
upvoted 0 times
...
Amber
9 months ago
Wait, are we sure these options are mutually exclusive? Can't we just use a combination of them for maximum flexibility?
upvoted 0 times
Gail
8 months ago
C) On the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.
upvoted 0 times
...
Carla
8 months ago
B) On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
upvoted 0 times
...
Jamey
8 months ago
A) On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
upvoted 0 times
...
...
Erinn
9 months ago
Option D just sounds like more work than it's worth. Why complicate things on the forwarder when you can do it all on the indexer?
upvoted 0 times
...
Portia
9 months ago
Hmm, Option C with multiple sourcetype_source attributes sounds interesting, but it might get a bit messy. I'd prefer to keep it straightforward.
upvoted 0 times
Mattie
8 months ago
B) On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
upvoted 0 times
...
Glenn
8 months ago
A) On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
upvoted 0 times
...
...
Cristy
9 months ago
I like the simplicity of Option B. Leaving it automatic on the forwarder and then configuring props.conf on the indexer side sounds efficient.
upvoted 0 times
Douglass
8 months ago
Yuonne: Definitely, keeping it automatic on the forwarder and setting up props.conf on the indexer side is a smart approach.
upvoted 0 times
...
Yuonne
8 months ago
User 2: Yeah, it's a simple solution that can be easily implemented.
upvoted 0 times
...
Mammie
8 months ago
User 1: I agree, Option B seems like the most efficient choice.
upvoted 0 times
...
...
Margurite
9 months ago
That's a good point, I see the rationale behind option C now. It could help filter out unwanted files effectively.
upvoted 0 times
...
Jennie
9 months ago
But wouldn't setting multiple sourcetype_source attributes on the Indexer be more efficient, like in option C?
upvoted 0 times
...
Margurite
9 months ago
I disagree, I believe the correct answer is B. We should leave sourcetype as automatic on the forwarder.
upvoted 0 times
...
Tegan
9 months ago
Option A seems like the way to go. Keeping the sourcetype automatic on the indexer and then using props.conf to assign specific sourcetypes is a clean approach.
upvoted 0 times
Jose
7 months ago
Agreed, using props.conf to assign specific sourcetypes on the indexer is a good strategy.
upvoted 0 times
...
Stephaine
7 months ago
I think option A provides a simple and effective solution for managing sourcetypes.
upvoted 0 times
...
Audrie
8 months ago
It's definitely a clean approach to use props.conf for assigning specific sourcetypes.
upvoted 0 times
...
Kimberely
8 months ago
I agree, option A is the best choice for fine-tuning sourcetypes.
upvoted 0 times
...
...
Jennie
10 months ago
I think the answer is A. It makes sense to assign specific sourcetypes by source stanza in props.conf.
upvoted 0 times
...

Save Cancel