A Splunk architect has inherited the Splunk deployment at Buttercup Games and end users are complaining that the events are inconsistently formatted for a web sourcetype. Further investigation reveals that not all web logs flow through the same infrastructure: some of the data goes through heavy forwarders and some of the forwarders are managed by another department.
Which of the following items might be the cause for this issue?
The issue is likely that the data inputs are not properly configured across all the forwarders. In a scenario where multiple forwarders are involved, inconsistently formatted events usually indicate discrepancies in how data inputs are set up on each forwarder. If some forwarders have different configurations or are not configured to handle the data uniformly, it can lead to inconsistent data formatting.
I think answer is B, Why the configuration of indexer and Heavy forwarder should be same.
The correct answer is C. Alternative B cannot be since the UFs cannot be configured in the props.conf and neither does it contemplate the indexers.
Question does not specify whether other forwarders are UFs. It only mentions heavy forwarders. Could be B.
For there to be a correct parsing of the data in the indexers and heavy forwarders, the same configuration must be used.
That's not true. Props.conf can indeed be in Universal Forwarders. For example, EVENT_BREAKER properties are ONLY applicable in props.conf on UFs. https://docs.splunk.com/Documentation/ITSI/4.17.0/Configure/props.conf
C is the correct Answer
C is correct
C is correct
It's the B since they mention that the reason of the issue is that sourcetype if the only affecting the data which means that some inputs could have a wrong sourcetype name in the inputs.conf
Nope. We are talking about the same sourcetype, different parsing/format here.