ExamTopics Logo
Mail Us[email protected]
Menu
Splunk Discussions
exam questions

Exam SPLK-3003 All Questions

View all questions & answers for the SPLK-3003 exam
Go to Exam

Exam SPLK-3003 topic 1 question 48 discussion

Actual exam question from Splunk's SPLK-3003
Question #: 48
Topic #: 1
[All SPLK-3003 Questions]

In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?

  • A. All universal forwarders.
  • B. Only the indexers.
  • C. All heavy forwarders.
  • D. On all parsing Splunk instances.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Redtonyeah at May 15, 2022, 9:02 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hpbdcb
11 months ago
Selected Answer: D
the key here is "parsing" instances. the hosts sending directly requires parsing on the indexer peers and the hosts sending to the HFs require parsing on the HF instances. so all parsing instances is the right answer
upvoted 1 times
...
cornripper
2 years ago
D, the props and transforms will go on the HF if there is one(which in this case there is) and then the IDXs will need a fields.conf. https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Configureindex-timefieldextraction
upvoted 2 times
...
Redtonyeah
2 years, 7 months ago
D, in IF and IDX
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel