ExamTopics Logo
Mail Us[email protected]
Menu
Splunk Discussions
exam questions

Exam SPLK-1003 All Questions

View all questions & answers for the SPLK-1003 exam
Go to Exam

Exam SPLK-1003 topic 1 question 11 discussion

Actual exam question from Splunk's SPLK-1003
Question #: 11
Topic #: 1
[All SPLK-1003 Questions]

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?

  • A. /var/log/messages
  • B. /var/log/maillog
  • C. /var/log/maillog and /var/log/messages
  • D. none of the above
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Stressplein at May 22, 2020, 4:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Stressplein
Highly Voted 4 years ago
https://answers.splunk.com/answers/728155/what-happens-if-you-deploy-an-inputsconf-from-a-ds.html B
upvoted 17 times
...
Apis
Highly Voted 2 years, 5 months ago
Selected Answer: B
B is correct. Apps from deployment server will overwrite any existing configuration
upvoted 6 times
...
bobixaka
Most Recent 7 months, 2 weeks ago
Selected Answer: B
The client phones home to the DS, performs a checksum match on the apps and configs, finds a mismatch in that particular app and conf file, downloads the app from the DS and overwrites the mismatched inputs.conf
upvoted 4 times
...
InfoSec_RC53
1 year, 3 months ago
This is a great example of the poorly written questions in a Splunk exam. Notice the path, it is in the "deployment-apps" folder which means it is on the DS, not the forwarder. Once it gets to the forwarder, it will then overwrite the inputs, and be located in the $SPLUNK_HOME/etc/apps folder.
upvoted 1 times
...
gibla1929
2 years ago
Selected Answer: B
deployment client will reinstall the app with the same name that matches its expected hash.
upvoted 1 times
...
ZeusP
3 years ago
B is correct as soon as UF try to connect with DS it will pull updated conf and over write the existing conf.
upvoted 4 times
...
Tony_123
3 years, 4 months ago
Once UF (DS client) connects DS server, it will pull the /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf from DS server , so B is the correct answer.
upvoted 5 times
...
pucca012
3 years, 4 months ago
A is the correct answer, because the local always take precedence.
upvoted 1 times
Hamiltonian
2 years, 11 months ago
This question has nothing to do with precedence. In the first case, the inputs.conf is written locally on the forwarder. In the second case, this original inputs.conf is overwritten by the new inputs.conf settings because the configurations been redeployed from a DS.
upvoted 4 times
Hamiltonian
2 years, 11 months ago
Better to say "deployed" rather than redeployed, because it's the first time a DS is being used with the forwarder.
upvoted 3 times
...
...
...
sargeholik
3 years, 5 months ago
b correct answer
upvoted 4 times
...
Sandy_1988
3 years, 6 months ago
B is the correct answer
upvoted 5 times
...
sergito095
3 years, 11 months ago
I think that the C is the correct answer, because inputs.conf file from forwarder is set up to monitor "messages" file and "maillog" file is monitored by Depolyment Server. Files are differents.
upvoted 3 times
Hamiltonian
2 years, 11 months ago
It doesn't matter. The DS is deploying the configuration setting sunder the given app name. The forwarder, once cnnected to the DS, will do whatever the DS tells it to do from the app configuration settings.
upvoted 2 times
...
Ashton_98
3 years, 7 months ago
That would be true if they didn't have the same app name. When you deploy an app with the same name, it will overwrite the inputs.conf file instead of merging.
upvoted 4 times
...
...
mker
4 years ago
A is the correct answer, becouse the file inputs.conf will by overwrite by deployment
upvoted 2 times
mker
4 years ago
sorry B is the correct
upvoted 7 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel