Common Splunk Interview Questions

22. what is use of limit.conf?

This file contains descriptions of the settings that you can use to configure limitations for the search commands. Each stanza controls different search commands settings. There is a limits.conf file in the $SPLUNK_HOME/etc/system/default/ directory

23. Why do we use props.conf? 

props.conf is commonly used for: 

• Configuring line breaking for multi-line events. 
• Setting up character set encoding 
• Allowing processing of binary files 
• Configuring timestamp recognition  
• Configuring event segmentation 
• Overriding automated host and source type matching  

24. Name some important configuration files?

Some important configuration files:

• inputs.conf
• Outputs.conf
• Props.conf
• transforms.conf

25. Which parameters you can use in props.conf and transforms.conf?

1) Props.conf: –

LINE_BREAKER = <regular expression>
SHOULD_LINEMERGE = <boolean>
BREAK_ONLY_BEFORE = <regular expression>
DATETIME_CONFIG = [<filename relative to $SPLUNK_HOME> | CURRENT | NONE]
KV_MODE
FIELDALIAS
LOOKUP

Transforms.conf: –

REGEX<regular expression>
FORMAT<string>
SOURCE_KEY<String>
DELIMS<Quoted string list>