The exhibit shows a search that reads a lookup file. Which of the following must be true for this search to work correctly?
inputlookup requires a lookup definition in transforms.conf.
Why this answer
For a lookup to work in a Splunk search, it must be defined in transforms.conf. This configuration file specifies the lookup type (e.g., file-based, KV-store, external), the filename, the field mapping, and other parameters. Without this definition, Splunk cannot resolve the lookup command or the lookup table reference in the search string, even if the file exists on disk.
Exam trap
The trap here is that candidates often assume the lookup file just needs to exist on disk (options B, C, D), but Splunk requires the explicit transforms.conf definition to map the lookup name to the file and fields.
How to eliminate wrong answers
Option B is wrong because lookup files are stored on the search head, not the indexer; indexers handle data indexing and search, but lookups are resolved on the search head. Option C is wrong because the lookup file does not have to be in the default lookup directory; it can be in any directory specified by the 'filename' parameter in transforms.conf, as long as Splunk has read access. Option D is wrong because the file does not have to be in the $SPLUNK_HOME/etc/apps/search/lookups directory; it can be in any app's lookups subdirectory (e.g., $SPLUNK_HOME/etc/apps/myapp/lookups) as long as the transforms.conf in that app references it correctly.