What is the value of the sourcetype property for this stanza based on Splunk’s configuration file precedence?

Consider the following configurations:

What is the value of the sourcetype property for this stanza based on Splunk’s configuration file precedence?
A . NULL, or unset, due to configuration conflict
B . access_corabined
C . linux aacurs
D . linux_secure, access_combined

View Answer

Answer: C

Explanation:

When there are conflicting configurations in Splunk, the platform resolves them based on the configuration file precedence rules. These rules dictate which settings are applied based on the hierarchy of the configuration files.

In the provided configurations:

The first configuration in $SPLUNK_HOME/etc/apps/unix/local/inputs.conf sets the sourcetype to access_combined.

The second configuration in $SPLUNK_HOME/etc/apps/search/local/inputs.conf sets the sourcetype to linux_secure.

Configuration File Precedence:

In Splunk, configurations in local directories take precedence over those in default.

If two configurations are in local directories of different apps, the alphabetical order of the app names determines the precedence.

Since "search" comes after "unix" alphabetically, the configuration in

$SPLUNK_HOME/etc/apps/search/local/inputs.conf will take precedence.

Therefore, the value of the sourcetype property for this stanza is linux_secure.

Splunk Documentation

Reference: Configuration File Precedence

Resolving Conflicts in Splunk Configurations

This confirms that the correct answer is

C. linux_secure.