Splunk Enterprise Certified Architect — Question 62

A deployable app is configured containing a monitor input for the /var/log directory. The server class was created in Forwarder Management instead of using the Add Data > Forward page. It is confirmed that the app is being deployed to the expected Linux deployment clients, but no /var/log events are being forwarded, even though other events from previously deployed inputs are being forwarded from the same clients.

What is most likely causing this problem?

Answer options

• A. The Restart Splunkd option is not enabled in the server class.
• B. The exclude list is overriding the include list in the server class.
• C. An outputs.conf file was not included in the deployable app.
• D. A receiving port is not enabled on the target indexers.

Correct answer: A

Explanation

The correct answer is A because if the Restart Splunkd option is not enabled, any changes made to the inputs will not take effect until the Splunk daemon is restarted. Options B, C, and D do not address the immediate issue of inputs not being recognized, as they relate to configuration or connectivity rather than the activation of the input monitoring.