Splunk Enterprise Security Certified Analyst — Question 60
A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer.
Where does the Index time parsing occur?
Answer options
- A. Indexer
- B. Universal forwarder
- C. Search head
- D. Heavy forwarder
Correct answer: D
Explanation
Index time parsing occurs at the Heavy Forwarder, where it processes the data before sending it to the indexer. The Universal Forwarder only collects and sends data without parsing, while the Search Head is responsible for running searches and visualizations, not for parsing incoming data. The Indexer handles storage and search operations but not the initial parsing of data from the heavy forwarder.