A Heavy Forwarder is a Splunk instance that can parse and filter data before forwarding it to another Splunk instance, such as an indexer1. A Heavy Forwarder can also perform index-time field extractions using the TRANSFORMS setting2.

The TRANSFORMS setting is used to configure data transformations in the transforms.conf file3. The transforms.conf file contains settings and values that you can use to configure host and source type overrides, anonymize sensitive data, route events to different indexes, create index-time and search-time field extractions, and set up lookup tables3.

The TRANSFORMS setting can be deployed to the Heavy Forwarder where the syslog files are being monitored, so that the logs can be rerouted based on the event message before they are forwarded to the indexer2. This can improve the performance and efficiency of data processing and indexing2.

IgnoreOlderThan:This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList:This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor:This is the default method for monitoring files but does not address indexing pre-existing data.

followTail:This attribute, when set in inputs.conf, ensures that Splunk starts reading a file from the end (tail) and does not index existing old data. It is ideal for scenarios with large files where only new updates are relevant.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

" You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. "

To verify the integrity of a local bucket. The command ./splunk check-integrity -bucketPath [bucket path] [-verbose]  is used to verify the integrity of a local bucket by comparing the hashes stored in the l1Hashes and l2Hash files with the actual data in the bucket1. This command can help detect any tampering or corruption of the data.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

A role in Splunk is a classification that determines what capabilities and indexes a user has.A capability is a permission to perform a specific action or access a specific feature on the Splunk platform1.An index is a collection of data that Splunk software processes andstores2. By assigning roles to users, you can control what they can do and what data they can access on the Splunk platform.

Therefore, the correct answers are A and D. A role in Splunk determines what capabilities and indexes a user has. Option B is incorrect because Splunk servers do not use roles to remotely control each other.Option C is incorrect because Splunk servers use instances and components to determine what functions they control3.

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. " Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers). "