Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:
Which file(s) will actually be actively monitored?
In Splunk, when multiple stanzas are defined for the same directory, the last one in the inputs.conf file will take precedence. Therefore, the final stanza, which whitelists 'secure', will be the one that is actively applied. This means only the file /var/log/secure will be monitored. The initial stanza that whitelists 'messages' will be overridden by the subsequent stanza.
Agree with v12 on this one. The second stanza will override the first, and only secure will be monitored. A is correct
if stanzas are same only the last one gets applied, see the discussions here:- https://community.splunk.com/t5/Archive/Multiple-stanza-in-inputs-conf-for-the-same-folder/m-p/353748
page 193 of SCI
This is wrong the correct answer is D both of the files would be indexed Assuming the spelling error with the first stanza is fixed the whitelist option specifically calls out both files https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Whitelistorblacklistspecificincomingdata
A is correct
A is the correct
Also both files will be monitored , though the first stanza won't log to splunk assuming the spelling issue with the index, but will be monitored and just have the data lost/not written.