nerdexam
ExamsSPLK-1003Questions#48
SplunkSplunk

SPLK-1003 · Question #48

SPLK-1003 Question #48: Real Exam Question with Answer & Explanation

The correct answer is D: MAX TIMESTAMP LOOKAHEAD -30. https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timest

Configuration Files

Question

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best? Event example:

Options

  • AMAX_TIMESTAMP_L0CKAHEAD = 5
  • BMAX_TIMESTAMP_LOOKAHEAD -10
  • CMAX_TIMESTAMF_LOOKHEAD = 20
  • DMAX TIMESTAMP LOOKAHEAD -30

Explanation

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Topics

#props.conf#MAX_TIMESTAMP_LOOKAHEAD#Source type configuration#Timestamp extraction

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SPLK-1003 PracticeBrowse All SPLK-1003 Questions