Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam SPLK-1003 topic 1 question 107 discussion

Actual exam question from Splunk's SPLK-1003
Question #: 107
Topic #: 1
[All SPLK-1003 Questions]

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

  • A. host=server1 index=unixinfo
  • B. host=server1 index=searchinfo
  • C. host=searchsvr1 index=searchinfo
  • D. host=unixsvr1 index=unixinfo
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
furiousjase
Highly Voted 2 years, 6 months ago
The answer is B Index Time Precedence Order: 1 - System Local directory [etc/system/local] 2 - App Local directories [etc/apps/appname/local] (lexicographical order A..Z) 3 - App default directories [etc/apps/appname/default] (lexicographical order A..Z) 4 - System default directory [etc/system/default]
upvoted 15 times
ucsdmiami2020
2 years, 6 months ago
Confirmed per Splunk documentation https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles "When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local."
upvoted 2 times
...
...
Rodders2828
Highly Voted 1 year, 3 months ago
Selected Answer: B
Just did the Admin test today (passed), and got this question. In the actual question is not the same provided here - as mentioned below, the two local paths have different app names 'search' and 'unix', and not both as 'search'. In that case 'search' will take precedence over 'unix' - and so B is correct.
upvoted 5 times
toney_mu
1 year, 1 month ago
Yes, you are right. There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
upvoted 1 times
...
...
toney_mu
Most Recent 1 year, 1 month ago
There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
upvoted 1 times
...
Rodders2828
1 year, 3 months ago
Selected Answer: A
Should be 'A'. Assuming the two 'apps' inputs are in the order provided, then the last stanza will override the first, meaning the index will be set to 'unixinfo'. The host will be set by the system/local file, which takes precedence over app/local.
upvoted 1 times
Rodders2828
1 year, 3 months ago
Wrong - see my later comment. The actual question has different app names for the local paths, meaning the answer will be B, not A.
upvoted 2 times
...
...
kgcykyzoxjxhvfazje
1 year, 3 months ago
I took the test recently and the question here is wrong. With the question as stated here, the answer is A because it takes host from system/local and it takes the last valid stanza from apps/search/local. However in the actual question one of the stanzas comes from apps/unix/local instead of apps/search/local. In that case, it still takes host from system/local, but it takes index from apps/search/local because s comes before u.
upvoted 3 times
...
denominator
1 year, 9 months ago
data admin pdf pg 257. Precedence at index-time. 1 - etc/system/local . I think the ans is A, which it had the index name though
upvoted 1 times
toney_mu
1 year, 1 month ago
There is a typo in the queston the last input .conf is as below. SPLUNK_HOME/etc/app/unix/local/inputs.conf ( not search ) Option B
upvoted 1 times
...
...
Seba0297
1 year, 10 months ago
Selected Answer: B
Answer is B for index-time precedence order (see other comments) and, with replicated stanza in the same .conf file, the last one overrides the previous one. Verify the configuration with btool and you get the last listed entry rule
upvoted 1 times
Seba0297
1 year, 10 months ago
Sorry, my explanation was about A that is correct, i was remembering B... ahah
upvoted 1 times
...
...
Helaros
1 year, 11 months ago
I guess the questions is no correct...this way it just cannot be answered correctly because you cannot say which of the stanza1 entries is first in the /apps/search/local/inputs.conf...I would think that the second entry (with "host=unixsvr1" and index="unixinfo" should be located in /etc/apps/unix/local/inputs.conf..this would be inline with other examples used in the Administration courses (see System Administration Slide 82). Therefore answer B would be correct as the 'search' app comes before the 'unix' app in lexicographical order. B is correct. Question has a typo.
upvoted 2 times
...
aallpp
2 years, 3 months ago
I think the answe is A.
upvoted 2 times
...
sam_1215
2 years, 5 months ago
I believe answer is A. - etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see : https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical-stanzas-within-a-single/m-p/283566
upvoted 3 times
...
Salman23
2 years, 6 months ago
Answer is A. during index time, higher prevalence is for /etc/system/local/ with: host=server1 this combined with second prevalence wich is /etc/apps/search/local/ witch index=unixinfo.
upvoted 2 times
...
tom888
2 years, 6 months ago
why not A?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...