Splunk Core Certified Consultant — Question 39

Which of the following methods is valid for creating index-time field extractions?

Answer options

• A. Use the UI to create a sourcetype, specify the field name and corresponding regular expression with capture statement.
• B. Create a configuration app with the index-time props.conf and/or transforms.conf, and upload the app via UI.
• C. Use the CLI app to define settings in fields.conf, and restart Splunk Cloud.
• D. Use the rex command to extract the desired field, and then save as a calculated field.

Correct answer: B

Explanation

The correct answer is B, as creating a configuration app with props.conf and transforms.conf is a valid method for index-time field extractions. Option A describes creating a sourcetype but does not specifically address index-time field extractions. Option C is incorrect because changes in fields.conf do not directly lead to index-time extractions. Option D is also wrong as the rex command is used for search-time field extractions, not index-time.