Splunk Enterprise Security Certified Analyst — Question 55

A customer would like Splunk to delete files after they've been ingested. The Universal Forwarder has read/write access to the directory structure. Which input type would be most appropriate to use in order to ensure files are ingested and then deleted afterwards?

Answer options

• A. Script
• B. Batch
• C. Monitor
• D. Fschange

Correct answer: B

Explanation

The Batch input type is designed for processing files and removing them after ingestion, making it the correct choice. The Script option does not automatically handle file deletion, while Monitor continuously observes files without deletion, and Fschange focuses on file changes rather than ingestion and removal.