Learn how to identify the correct inputs.conf stanza for monitoring a single local file in Splunk. Get a detailed explanation and examples to master this concept.
Table of Contents
Question
In inputs.conf, which stanza would mean Splunk was only reading one local file?
A. [monitor::/opt/log/crashlog/Jan27crash.txt]
B. [monitor:///opt/log/crashlogs/Jan27crash.txt]
C. [read://opt/log/crashlog/Jan27crash.txt]
D. [monitor:///opt/log/]
Answer
B. [monitor:///opt/log/crashlogs/Jan27crash.txt]
Explanation
In inputs.conf, the stanza [monitor:///opt/log/crashlogs/Jan27crash.txt] would mean Splunk is only reading one local file: /opt/log/crashlogs/Jan27crash.txt.
Here’s a breakdown of the stanza:
- [monitor:///path/to/file] is the syntax for monitoring a single file on the local system.
- The triple forward slash (///) indicates an absolute path on the local file system.
- /opt/log/crashlogs/Jan27crash.txt is the absolute path to the file being monitored.
This stanza instructs Splunk to continuously monitor and ingest data from the specified file as new data is written to it.
Splunk SPLK-1003 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Splunk SPLK-1003 exam and earn Splunk SPLK-1003 certification.