Splunk Core Certified Advanced Power User — Question 98

When indexing a data source, which fields are considered metadata?

Answer options

• A. source, host, time
• B. time, sourcetype, source
• C. host, raw, sourcetype
• D. sourcetype, source, host

Correct answer: D

Explanation

The correct answer is D because 'sourcetype', 'source', and 'host' are all fields that provide essential context about the data being indexed, thus qualifying as metadata. Options A and B include 'time', which is not classified as metadata in this context. Option C contains 'raw', which also does not fit the definition of metadata.