Splunk Enterprise Security Certified Admin — Question 31

How should an administrator add a new lookup through the ES app?

Answer options

• A. Upload the lookup file in Settings -> Lookups -> Lookup Definitions
• B. Upload the lookup file in Settings -> Lookups -> Lookup table files
• C. Add the lookup file to /etc/apps/SplunkEnterpriseSecuritySuite/lookups
• D. Upload the lookup file using Configure -> Content Management -> Create New Content -> Managed Lookup

Correct answer: D

Explanation

The correct answer is D because it describes the proper method to upload a new lookup through the ES app's content management interface. Options A and B refer to incorrect locations for uploading lookups, and option C involves a manual file placement that does not utilize the ES app's functionality.