After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?
After data is ingested, which data management step is essential to ensure raw data can be accelerated by a Data Model and used by ES?
Normalization to the Splunk Common Information Model (CIM) is essential after data ingestion to ensure that raw data can be accelerated by a Data Model and used by Enterprise Security (ES). The Splunk CIM provides a standardized way of organizing data, which allows various data sources to be correlated and analyzed effectively in ES.
B is correct. Page 9 ("Data Flow in Enterprise Security") - Administering Splunk ES 7.1