In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing.
Event example:
Which value would fit best?
A . MAX_TIMESTAMP_L0CKAHEAD = 5
B . MAX_TIMESTAMP_LOOKAHEAD – 10
C . MAX_TIMESTAMF_LOOKHEAD = 20
D . MAX TIMESTAMP LOOKAHEAD – 30
Answer: D
Explanation:
https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.
Latest SPLK-1003 Dumps Valid Version with 119 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund