Which component normalizes events?
Which component normalizes events?
The component responsible for normalizing events is the technology add-on (TA). Technology add-ons contain data inputs and files that help normalize and prepare data for display and analysis. They ensure data is CIM (Common Information Model) compliant, making it easier to search and correlate across different data sources.
Answer is D. Add-ons automatically normalize most common sourcetypes. p.204 Its Add-ons that normalize data/events to be CIM compatible.
The correct answer is D. Tech add-ons normalize events - p.11
please write link which source p.11?
Correct answer is D. Tech add-ons normalize events for CIM compliance.
Ans: A Ref: " A supporting add-on (SA) provides the intermediary knowledge and normalization layer of the Enterprise Security solution architecture. SAs contain a variety of file types to support other parts of the architecture and frameworks. In Enterprise Security, the SA layer contains the schemas used to map data sources into the Common Information Model for analysis through data models." https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/abouttheessolution/
yes your ref is true, then the answer is D, as it is generic
Correct is A, CIM is the component which normalizes events, TA supports normalization, but not necessarily.
There are three types of add-ons for Enterprise Security: domain add-ons (DAs), supporting add-ons (SAs), and technology add-ons (TAs). This type division is a naming convention, not a strict technical differentiation. The naming convention indicates the primary contributions of that add-on to the overall solution. DAs typically contain dashboards and other views, along with search objects that populate them. SAs can contain a variety of files but typically do not contain data inputs. TAs often contain data inputs, as well as files that help normalize and prepare that data for display in Enterprise Security.