ExamTopics Logo
Mail Us[email protected]
Menu
Splunk Discussions
exam questions

Exam SPLK-1003 All Questions

View all questions & answers for the SPLK-1003 exam
Go to Exam

Exam SPLK-1003 topic 1 question 56 discussion

Actual exam question from Splunk's SPLK-1003
Question #: 56
Topic #: 1
[All SPLK-1003 Questions]

In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

SHOULD_LINEMERGE = false -

TRUNCATE = 0 -
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

  • A. MAX_TIMESTAMP_LOOKAHEAD = 5
  • B. MAX_TIMESTAMP_LOOKAHEAD = 10
  • C. MAX_TIMESTAMP_LOOKAHEAD = 20
  • D. MAX_TIMESTAMP_LOOKAHEAD = 30
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AbuAli at April 11, 2020, 1 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AbuAli
Highly Voted 4 years ago
D. MAX_TIMESTAMP_LOOKAHEAD = 30 >>> is right Please find below link https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition
upvoted 29 times
...
NastyNutsu
Most Recent 3 months, 1 week ago
Selected Answer: D
MAX_TIMESTAMP_LOOKAHEAD value determines how many character Splunk should look ahead in the event data to find the timestamp. in this example, the time stamp is 2018-04-13 13:42:41:214 - 0500, which span the first 30 characters. Therefore, the best value is 30
upvoted 1 times
...
bobixaka
5 months, 3 weeks ago
Selected Answer: D
2018-04-13 13:42:41.214 -0500 is much more than 10 characters long. 30 will catch it.
upvoted 2 times
...
Marco63
2 years ago
Selected Answer: D
MAX_TIMESTAMP_LOOKAHEAD=10 is not enough to catch the whole timestamp
upvoted 3 times
...
royjn1981
2 years, 2 months ago
Selected Answer: D
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp."
upvoted 3 times
...
Apis
2 years, 3 months ago
Selected Answer: D
D is correct
upvoted 4 times
...
leratel
3 years, 1 month ago
Is C a better choice ? Because date + time is 19 characters, 20 is ok or am I wrong ?
upvoted 3 times
leratel
3 years, 1 month ago
sorry for my question, I stupidly look at the format.... 30 is good
upvoted 6 times
...
...
happy_and_lucky
3 years, 3 months ago
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago