B is correct. The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE). Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK CHECK_METHOD CHECK_FOR_HEADER (deprecated) PREFIX_SOURCETYPE sourcetype wmi.conf regmon-filters.conf Structured parsing phase props.conf INDEXED_EXTRACTIONS, and all other structured data header extractions Parsing phase props.conf LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing SEDCMD MORE_THAN, LESS_THAN transforms.conf stanzas referenced by a TRANSFORMS clause in props.conf LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

A. Input phase Data admin PDF - page 242

Data admin p263

P263 in Data Admin pdf says "Indexed Extractions are input phase props.conf settings". So it'd be A. But detailed documentations break down the steps, "INDEXED_EXTRACTIONS, and all other structured data header extractions" are part of the Structured Parsing Phase. So it might be B as well..... https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Configurationparametersandthedatapipeline

docs hint at A Data Admin 9.0 pdf page 341 "Indexed extractions are input phase props.conf settings"

It's A. From https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf Heading: Structured Data Header Extraction and configuration "This setting applies at input time, when data is first read by Splunk software, such as on a forwarder that has configured inputs acquiring the data." INDEXED_EXTRACTIONS = <CSV|TSV|PSV|W3C|JSON|HEC>

B is correct in my opinion.

B, index extractions (INDEX_EXTRATIONS) is done in parsing phase https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Configurationparametersandthedatapipeline Structured parsing phase props.conf INDEXED_EXTRACTIONS, and all other structured data header extractions

• Indexed extractions are input phase props.conf settings – In this scenario, the settings belong on forwarder – Check props.conf.spec for more options Datadmin page: 341 Correct Ans: A

My answer is B.

" Structured parsing phase props.conf INDEXED_EXTRACTIONS, and all other structured data header extractions "

Correct Answer: B

Data Admin Slide 262

Pg 262 data admin pdf

Answer is B, Structured parsing phase props.conf INDEXED_EXTRACTIONS, and all other structured data header extractions

A is correct "Structured Data Header Extraction and configuration # These special string delimiters, which are single ASCII characters, # can be used in the settings that follow, which state # "You can use the delimiters for structured data header extraction with # this setting. INDEXED_EXTRACTIONS = <CSV|TSV|PSV|W3C|JSON|HEC> * The type of file that Splunk software should expect for a given source type, and the extraction and/or parsing method that should be used on the file." https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Propsconf

Answer A&B Generally, fields should be extracted at search time, however there are certain use cases when index time field extractions can be used Provision the extraction during the input or parsing phase –On the forwarder for structured inputs –On the indexer for fields that may be negatively impacting search performance uses three configuration files props.conf, transforms.conf on the indexer and fields.conf on the search head If I have to give one answer, I choose parsing the indexers can handle the extra load better.