There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?
An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user's local context to disable the field aliases?
Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)
Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
All search-time field extractions should be specified on which Splunk component?
