Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk Exam SPLK-1005 Topic 4 Question 15 Discussion

Actual exam question for Splunk's SPLK-1005 exam
Question #: 15
Topic #: 4
[All SPLK-1005 Questions]

A monitor has been created in inputs. con: for a directory that contains a mix of file types.

How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

Show Suggested Answer Hide Answer
Suggested Answer: B

When dealing with a directory containing a mix of file types, it's essential to fine-tune the sourcetypes for different files to ensure accurate data parsing and indexing.

B . On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza: This is the correct answer. In this approach, the Universal Forwarder is set up with a directory monitor where the sourcetype is initially left as automatic. Then, a props.conf file is configured to specify different sourcetypes based on the source (filename or path). This ensures that as the data is collected, it is appropriately categorized by sourcetype according to the file type.

Splunk Documentation Reference:

Configuring Inputs and Sourcetypes

Fine-tuning sourcetypes


by Rima at Apr 30, 2025, 02:11 AM

Limited Time Offer

25%

Off

Get Premium SPLK-1005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Erinn
1 days ago
Option D just sounds like more work than it's worth. Why complicate things on the forwarder when you can do it all on the indexer?
upvoted 0 times
...
Portia
2 days ago
Hmm, Option C with multiple sourcetype_source attributes sounds interesting, but it might get a bit messy. I'd prefer to keep it straightforward.
upvoted 0 times
...
Cristy
9 days ago
I like the simplicity of Option B. Leaving it automatic on the forwarder and then configuring props.conf on the indexer side sounds efficient.
upvoted 0 times
...
Margurite
9 days ago
That's a good point, I see the rationale behind option C now. It could help filter out unwanted files effectively.
upvoted 0 times
...
Jennie
11 days ago
But wouldn't setting multiple sourcetype_source attributes on the Indexer be more efficient, like in option C?
upvoted 0 times
...
Margurite
11 days ago
I disagree, I believe the correct answer is B. We should leave sourcetype as automatic on the forwarder.
upvoted 0 times
...
Tegan
15 days ago
Option A seems like the way to go. Keeping the sourcetype automatic on the indexer and then using props.conf to assign specific sourcetypes is a clean approach.
upvoted 0 times
...
Jennie
23 days ago
I think the answer is A. It makes sense to assign specific sourcetypes by source stanza in props.conf.
upvoted 0 times
...

Save Cancel
a