All search-time field extractions should be specified on which Splunk component?
All search-time field extractions should be specified on which Splunk component?
All search-time field extractions should be specified on the search head. The search head is responsible for parsing and processing the search results, including field extractions at search time. The indexer primarily handles indexing and storing the data, while the deployment server manages configurations and app deployments, and the universal forwarder collects and sends data to the Splunk indexer.
Search Time field extractions are stored on the search head
I was thinking D as well
I would go for option D
Yes I would go with D
The search head is responsible for managing search-time operations, including field extractions, which are defined in configuration files like props.conf and transforms.conf.