Splunk Observability Cloud Certified Associate — Question 1

Which of the following macro values will exclude all of the company networks if it is called from the following search? index=firewall sourcetype=pan:traffic NOT "company_networks"

Answer options

• A. (src_ip IN (151.157.30.0/24, 26.06.18.0/24))
• B. NOT (src_ip IN (151.157.30.0/24, 26.06.18.0/24))
• C. NOT (src_ip=151.157.30.0/24 AND src_ip=26.06.18.0/24)
• D. (src_ip=151.157.30.0/24 AND src_ip=26.06.18.0/24)

Correct answer: B

Explanation

The correct answer, B, uses the NOT operator with the IN clause to exclude both specified company networks. Option A would include the company networks instead of excluding them, while options C and D incorrectly use the AND operator, which does not achieve the desired exclusion for both networks simultaneously.