Splunk Enterprise Security Certified Analyst — Question 11

A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested?

Answer options

• A. list monitor
• B. oneshot
• C. btprobe
• D. tailingprocessor

Correct answer: D

Explanation

The correct answer is D, tailingprocessor, as it is specifically designed to monitor and troubleshoot log ingestion issues in real-time. The other options, such as list monitor and oneshot, do not provide the same level of detail for log processing issues, while btprobe is not relevant to log ingestion troubleshooting.