When monitoring directories that contain mixed file types, which setting should be omitted from inputs, conf and instead be overridden in propo.conf?

When monitoring directories that contain mixed file types, which setting should be omitted from inputs, conf and instead be overridden in propo.conf?
A . sourcetype
B . host
C . source
D . index

View Answer

Answer: A

Explanation:

When monitoring directories containing mixed file types, the sourcetype should typically be overridden in props.conf rather than defined in inputs.conf. This is because sourcetype is meant to classify the type of data being ingested, and when dealing with mixed file types, setting a single sourcetype in inputs.conf would not be effective for accurate data classification. Instead, you can use props.conf to define rules that apply different sourcetypes based on the file path, file name patterns, or other criteria. This allows for more granular and accurate assignment of sourcetypes, ensuring the data is properly parsed and indexed according to its type.

Splunk Cloud

Reference: For further clarification, refer to Splunk’s official documentation on configuring inputs and props, especially the sections discussing monitoring directories and configuring sourcetypes.

Source:

Splunk Docs: Monitor files and directories

Splunk Docs: Configure event line breaking and input settings with props.conf