Splunk Enterprise Security Certified Admin — Question 41

Where are attachments to investigations stored?

Answer options

• A. KV Store
• B. notable index
• C. attachments.csv lookup
• D. <splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Correct answer: A

Explanation

The correct answer is A, the KV Store, as it is specifically designed for storing key-value pairs, including attachments for investigations. The notable index (B) is used for storing notable events, while attachments.csv lookup (C) refers to a lookup file and not a storage location. Option D points to a directory path but does not serve as a storage mechanism for attachments.