Question 8 - Splunk SPLK-2003 Real Exam Questions [Jan 2026 Update]

Q: 8

When assigning an input parameter to an action while building a playbook, a user notices the artifact value they are looking for does not appear in the auto-populated list. How is it possible to enter the unlisted artifact value?

Options

Correct Answer:

Explanation

When building a playbook in Splunk SOAR, if the desired artifact value does not appear in the auto-

populated list of input parameters for an action, users have the option to manually enter the

Common Event Format (CEF) datapath for that value. This allows for greater flexibility and

customization in playbook design, ensuring that specific data points can be targeted even if they're

not immediately visible in the interface. This manual entry of CEF datapaths allows users to directly

reference the necessary data within artifacts, bypassing limitations of the auto-populated list.

Options B, C, and D suggest alternative methods that are not typically used for this purpose, making

option A the correct and most direct approach to entering an unlisted artifact value in a playbook

action.

When assigning an input parameter to an action while building a playbook, a user can use the auto-

populated list of artifact values that match the expected data type for the parameter. The auto-

populated list is based on the contains parameter of the action inputs and outputs, which enables

contextual actions in the SOAR user interface. However, the auto-populated list may not include all

the possible artifact values that can be used as parameters, especially if the artifact values are nested

or have uncommon data types. In that case, the user can type the CEF datapath in manually, using

the syntax artifact.., where field is the name of the artifact field, such as cef, and key is

the name of the subfield within the artifact field, such as sourceAddress. Typing the CEF datapath in

manually allows the user to enter the unlisted artifact value as an input parameter to the action.

Therefore, option A is the correct answer, as it states how it is possible to enter the unlisted artifact

value. Option B is incorrect, because deleting and recreating the artifact is not a way to enter the

unlisted artifact value, but rather a way to lose the existing artifact data. Option C is incorrect,

because editing the artifact to enable the List as Parameter option for the CEF value is not a way to

enter the unlisted artifact value, but rather a way to make the artifact value appear in the auto-

populated list. Option D is incorrect, because editing the container to allow CEF parameters is not a

way to enter the unlisted artifact value, but rather a way to modify the container properties, which

are not related to the action parameters.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE