Splunk Exam SPLK-2003 Topic 1 Question 35 Discussion

Actual exam question for Splunk's SPLK-2003 exam

Question #: 35
Topic #: 1

[All SPLK-2003 Questions]

Which of the following is a step when configuring event forwarding from Splunk to Phantom?

AMap CIM to CEF fields.

BCreate a Splunk alert that uses the event_forward.py script to send events to Phantom.

CMap CEF to CIM fields.

DCreate a saved search that generates the JSON for the new container on Phantom.

Show Suggested Answer

Suggested Answer: C

by Delisa at Feb 09, 2024, 03:17 PM

Limited Time Offer

25%

Off

Get Premium SPLK-2003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Weldon

6 months ago

I think it's D) Create a saved search that generates the JSON for the new container on Phantom. That makes the most sense to me.

upvoted 0 times

...

Blondell

6 months ago

Hmm, I see your point. But I still think A is the correct choice.

upvoted 0 times

...

Ronnie

6 months ago

I disagree, I believe it is B) Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

upvoted 0 times

...

Blondell

7 months ago

I think the answer is A) Map CIM to CEF fields.

upvoted 0 times

...

Dalene

7 months ago

I think C) Map CEF to CIM fields is also important to make sure the data is translated accurately.

upvoted 0 times

...

Flo

7 months ago

But doesn't mapping CIM to CEF fields help ensure the data is properly formatted?

upvoted 0 times

...

Kasandra

7 months ago

I disagree, I believe it is D) Create a saved search that generates the JSON for the new container on Phantom.

upvoted 0 times

...

Flo

8 months ago

I think the correct answer is B) Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

upvoted 0 times

...