The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for

source A, and place both props . conf and transforms . conf on the indexer for source B.

According to the Splunk documentation1, to mask sensitive data from raw events, you need to use

the SEDCMD attribute in the props.conf file and the REGEX attribute in the transforms.conf file. The

SEDCMD attribute applies a sed expression to the raw data before indexing, while the REGEX

attribute defines a regular expression to match the data to be masked. You need to place these files

on the Splunk instance that parses the data, which is usually the indexer or the heavy forwarder2.

The universal forwarder does not parse the data, so it does not need these files.

For source A, the data is routed through a heavy forwarder, which can parse the data before sending

it to the indexer. Therefore, you need to place both props.conf and transforms.conf on the heavy

forwarder for source A, so that the masking takes place before indexing.

For source B, the data is routed directly to the indexer, which parses and indexes the data. Therefore,

you need to place both props.conf and transforms.conf on the indexer for source B, so that the

masking takes place before indexing.

1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk

settings? - Splunk Documentation