Splunk Enterprise Security Certified Analyst — Question 65

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

Answer options

• A. None. Splunk default configurations will process the events as needed; the UF is not causing truncation.
• B. Configure the best practice magic 6 or great 8 props.conf settings.
• C. EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.
• D. Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Correct answer: C

Explanation

The correct answer is C because configuring EVENT_BREAKER_ENABLE and EVENT_BREAKER settings per sourcetype allows for proper handling of events that exceed the size limit. Options A and B are incorrect because they do not address the specific configuration needed to prevent truncation. Option D is also wrong as it suggests a global configuration which may not be as effective as setting it per sourcetype.