Splunk IT Service Intelligence Certified Admin — Question 8

Two action blocks, geolocate_ip_1 and file_reputation_2, are connected to a decision block. Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?

Answer options

• A. Select parameter set to: file_reputation_2:action_result.data.*.response_code; evaluation option set to: ==; and the Select Value set to: custom_list:Banned Countries.
• B. Select parameter set to: geolocate_ip_1:action_result.data.*.country_iso_code; evaluation option set to: in; and the Select Value set to: custom_list:Banned Countries.
• C. Select parameter set to: geolocate_ip_1:action_result.cef.*.country_iso_code; evaluation option set to: !=; and the Select Value box left empty.
• D. Select parameter set to: file_reputation_2:action_result.cef.*.response_code; evaluation option set to: in; and the Select Value set to: United States.

Correct answer: B

Explanation

Option B is correct because it uses the right parameter and evaluation option to check if the country code from the geolocate_ip_1 action result is within a specified list. Options A and D are incorrect as they refer to response codes instead of country codes. Option C is incorrect because it uses the wrong evaluation operator and does not provide a value to compare against.