Splunk Core Certified Consultant — Question 12

Li was asked to create a Splunk configuration to monitor syslog files stored on Linux servers at their organization. This configuration will be pushed out to multiple systems via a Splunk app using the on-prem deployment server.
The system administrators have provided Li with a directory listing for the logging locations on three syslog hosts, which are representative of the file structure for all systems collecting this data. An example from each system is shown below:

Host: syslog01 -
File path: /var/log/network/syslog01/linux_secure/syslog.log

Host: syslog02 -
File path: /var/log/network/syslog02/linux_secure/syslog.log

Host: us-syslog-01 -
File path: /var/log/network/us-syslog-01/linux_secure/syslog.log.2020090801
Which monitor:// stanza could Li use in their app to ensure all three of these files are ingested into Splunk?

Answer options

• A. [monitor:///var/log/network/syslog*/linux_secure/*]
• B. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log]
• C. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log.*]
• D. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log*]

Correct answer: D

Explanation

The correct answer is D because it uses a wildcard at the end of 'syslog.log*', allowing it to capture both 'syslog.log' and any rotated versions like 'syslog.log.2020090801'. Option A is too broad as it includes all files under 'linux_secure', while B is too specific as it only targets 'syslog.log' without accounting for rotated logs. Option C captures rotated logs but misses 'syslog.log' itself due to the wildcard placement.