At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?
Correct Answer: C
Explanation
The point in the ES installation process when Splunk_TA_ForIndexes.spl should be deployed to the indexers is after installing ES on the search head(s) and running the distributed configuration management tool.
Splunk_TA_ForIndexes.spl is a Splunk add-on that contains the index-time configurations for the data models used by ES. It is required to be installed on all indexers that receive data from ES data sources, such as network devices, endpoints, threat intelligence feeds, and so on. The recommended way to deploy Splunk_TA_ForIndexes.spl to the indexers is to use the distributed configuration management tool in ES, which is a feature that allows you to automatically distribute configuration files, such as indexes.conf, props.conf, and transforms.conf, to your Splunk platform instances. To use the distributed configuration management tool, you need to first install ES on the search head(s) and then run the tool from the ES menu bar. The tool will prompt you to select the configuration files that you want to deploy, including Splunk_TA_ForIndexes.spl, and the instances that you want to deploy them to, such as indexers, forwarders, or other search heads. The tool will also validate the configuration files and restart the instances as needed12.
References = 1: Distributed Configuration Management - Splunk Documentation - Auto Deployment. 2:
Install Splunk Enterprise Security - Splunk Documentation - Install the Splunk Add-on for Indexes.