According to the Splunk Add-on Builder documentation, after managing source types and extracting fields, the key step that comes next in the Add-on Builder is to map to data models. Data models are predefined schemas that provide a common standard for organizing and naming data fields across different data sources. Splunk Enterprise Security uses the Splunk Common Information Model (CIM) to enable cross-source analysis and correlation of security events. The Add-on Builder helps you to map your data fields to the CIM data models, such as Authentication, Change, Endpoint, and others. You can use the Data Model Mapper tool to select the data models that are relevant to your data source and map the fields accordingly. You can also validate the data model mappings and preview the results. See Map to data models for more details.

The other options are not the correct steps that come next in the Add-on Builder. Validate and package is the last step in the Add-on Builder, where you can check the quality and readiness of your add-on and create a package file for distribution. See Validate and package for more details. Configure data collection is the first step in the Add-on Builder, where you can specify the method and parameters for collecting data from your data source. See Configure data collection for more details. Create alert actions is an optional step in the Add-on Builder, where you can build custom alert actions or adaptive response actions for Splunk Enterprise Security. See [Create alert actions] for more details. Therefore, the correct answer is D. Map to data models. References =

Map to data models

Validate and package

Configure data collection

[Create alert actions]

Splunk Add-on Builder | Splunkbase3

Splunk Add-on Builder | Splunkbase