Exam SPLK-1003 topic 1 question 61 discussion

A & D, From Data Admin pdf, use transformations with props.conf and transforms.conf to: – Mask or delete raw data as it is being indexed –Override sourcetype or host based upon event values – Route events to specific indexes based on event content – Prevent unwanted events from being indexed

A&D Choose all that apply

A & D. The configuration files used to transform raw data ingested by Splunk are: A. props.conf: This file is used to specify how Splunk formats incoming data, including settings for line breaking, timestamp recognition, character set encoding, and field extraction rules. It works in conjunction with transforms.conf for more advanced data transformation tasks. D. transforms.conf: This file is used in conjunction with props.conf to define advanced data transformations, such as field extractions, data masking, and data filtering. It allows for the specification of regular expressions and other settings to extract, transform, and manipulate data. While inputs.conf (B) is indeed a crucial configuration file in Splunk, it's used for specifying the input data settings, such as the type of input, the path for data ingestion, and various parameters for data collection, rather than transforming the data. rawdata.conf (C) is not a standard configuration file in Splunk.

A (props.conf) is more about parsing and interpreting data, while D (transforms.conf) is focused on transforming raw data before indexing So probably D

with SEDCMD, props.conf is ok but using transformation command, props.conf and transforms.conf will be required.

Combination of props.conf and transforms.conf is the answer. Some transformations could be done only within props.conf, but since transforms.conf is in the possible answers, it is also a true answer.

ABD for transformation of raw all the three files needed

A & D are correct

Answer: AD https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms