Splunk Core Certified Advanced Power User — Question 18

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?

Answer options

• A. /var/log/messages
• B. /var/log/maillog
• C. /var/log/maillog and /var/log/messages
• D. none of the above

Correct answer: B

Explanation

The new inputs.conf file deployed from the deployment server specifies monitoring for /var/log/maillog, which replaces the previous configuration for /var/log/messages. Therefore, only /var/log/maillog is monitored now, making option B the correct answer. Options A and C are incorrect because they reference the old monitored file, which is no longer active, and option D is also incorrect as /var/log/maillog is being monitored.