Splunk Core Certified Consultant — Question 18

A monitor has been created in inputs.conf for a directory that contains a mix of file types.
How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

Answer options

• A. On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
• B. On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
• C. On the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.
• D. On the forwarder collecting the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.

Correct answer: B

Explanation

The correct answer is B because it allows the Cloud Admin to configure the sourcetype on the forwarder while leaving it as automatic during data collection. Options A and C involve the Indexer, which is not the correct phase for this adjustment, while option D incorrectly suggests setting multiple sourcetypes on the forwarder, which is not the standard approach.