According to the Splunk Enterprise Security documentation, when using the Distributed Configuration Management tool to create the Splunk_TA_ForIndexers package, you can include the following three files:
indexes.conf: This file defines the indexes that are used by Splunk Enterprise Security, such as main, summary, and notable. It also specifies the index settings, such as retention policy, replication factor, and search factor. See indexes.conf for more details.
props.conf: This file defines the properties of the data sources that are ingested by Splunk Enterprise Security, such as sourcetype, timestamp, line breaking, and field extraction. It also specifies the data model mappings, tags, and event types for the data sources. See props.conf for more details.
transforms.conf: This file defines the transformations that are applied to the data sources that are ingested by Splunk Enterprise Security, such as lookup definitions, field aliases, field formats, and calculated fields. It also specifies the regex patterns, delimiters, and formats for the transformations. See transforms.conf for more details.
Therefore, the correct answer is A. indexes.conf, props.conf, transforms.conf. References =
indexes.conf
props.conf
transforms.conf
Assigning Role Based Permissions in Splunk Enterprise Security
Submit