SPLK-2002 Exam - Question 7

Should be D False

NOTE: You get a significant boost to processing speed when you use LINE_BREAKER to delimit multi-line events (as opposed to using SHOULD_LINEMERGE to reassemble individual lines into multi-line events). * When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set to false, to ensure no further combination of delimited events occurs. False is the answer.

False is the answer

D is the one, guys

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Configureeventlinebreaking#Break_the_data_stream_directly_into_real_events_with_the_LINE_BREAKER_setting

Seems it's A as talking about multi-line events as mentioned in props.conf doc: SHOULD_LINEMERGE = <boolean> * Whether or not to combine several lines of data into a single multiline event, based on the configuration settings listed in this subsection. * When you set this to "true", Splunk software combines several lines of data into a single multi-line event, based on values you configure in the following settings. * When you set this to "false", Splunk software does not combine lines of data into multiline events. * Default: true

D. False

If D how the mentioned multi-line event will be combined together? The answer is C. We're talking about multi-line events not single-line events. You can't work only with LINE_BREAKER

D

D

Totally False, check props.conf for confirmatiom

Answer is D.