The deployer in a Search Head Cluster (SHC) is primarily responsible for distributing apps to SHC members and handling configuration updates that are non-search related and manual. It is used to propagate baseline app configurations and other configuration file changes across the SHC. You do not use the deployer to bootstrap a clean Splunk install for a SHC or to distribute runtime knowledge object changes made by users.

When using the LINE_BREAKER attribute in props.conf to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to false. This ensures that no further merging of lines occurs, as the LINE_BREAKER attribute already handles the event boundaries.

A deployment plan should include business continuity and disaster recovery plans to ensure that operations can continue or be quickly restored in the event of an unexpected disruption. These plans are critical for maintaining service availability and minimizing downtime, making them essential components of any deployment strategy.

A multisite indexer cluster can be configured either by directly editing the SPLUNK_HOME/etc/system/local/server.conf file or by running the splunk edit cluster-config command from the CLI. Configuration via Splunk Web is not supported for this specific setup, and editing SPLUNK_HOME/etc/system/default/server.conf is incorrect as it is intended for default settings which should not be modified directly.

When considering props.conf attributes that impact indexing performance, LINE_BREAKER and SHOULD_LINEMERGE are critical. LINE_BREAKER is used to delimit multi-line events efficiently, providing a significant boost to processing speed. SHOULD_LINEMERGE, on the other hand, controls whether Splunk should attempt to merge lines into a single event, which can impact performance if not managed properly. REPORT is used for field extraction and does not directly impact indexing performance. While ANNOTATE_PUNCT deals with indexing punctuation, it does not significantly influence performance like the other two attributes.