Exam4Training

Which value would fit best?

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing .

Event example:

Which value would fit best?
A . MAX_TIMESTAMP_L0CKAHEAD = 5
B . MAX_TIMESTAMP_LOOKAHEAD – 10
C . MAX_TIMESTAMF_LOOKHEAD = 20
D . MAX TIMESTAMP LOOKAHEAD – 30

Answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Exit mobile version