Splunk Enterprise Certified Admin — Question 24

Which of the following are valid parent elements for the event action shown below? (Select all that apply.)
<set token=`Token Name`>sourcetype=$click.value|s

Answer options

• A. <eval>
• B. <change>
• C. <change> <condition>
• D. <drilldown> <condition>

Correct answer: A, C

Explanation

The correct answer includes <eval> because it is a valid parent for the set token action. Additionally, <change> <condition> is valid as it can encapsulate the <set> tag. The other options, <change> alone and <drilldown> <condition>, do not serve as appropriate parents for this specific event action.