Splunk SPLK-2003 Exam - Topic 12 Question 70 Discussion

Actual exam question for Splunk's SPLK-2003 exam

Question #: 70
Topic #: 12

[All SPLK-2003 Questions]

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

AUse the py-postgresq1 module to directly save the data in the Postgres database.

BCal the child playbooks getter function.

CCreate artifacts using one playbook and collect those artifacts in another playbook.

DUse the Handle method to pass data directly between playbooks.

Show Suggested Answer

Suggested Answer: C

The correct answer is C because creating artifacts using one playbook and collecting those artifacts in another playbook is a best practice for data sharing across playbooks. Artifacts are data objects that are associated with a container and can be used to store information such as IP addresses, URLs, file hashes, etc. Artifacts can be created using theadd artifactaction in any playbook block and can be collected using theget artifactsaction in thefilterblock. Artifacts can also be used to trigger active playbooks based on their label or type. SeeSplunk SOAR Documentationfor more details.

In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is to create artifacts in one playbook and use another playbook to collect and utilize those artifacts. Artifacts in Splunk SOAR are structured data related to security incidents (containers) that playbooks can act upon. By creating artifacts in one playbook, you can effectively pass data and context to subsequent playbooks, allowing for modular, reusable, and interconnected playbook designs. This approach promotes efficiency, reduces redundancy, and enhances the playbook's ability to handle complex workflows.

by Louvenia at Aug 13, 2025, 05:38 AM

Limited Time Offer

25%

Off

Get Premium SPLK-2003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Celestine

2 months ago

Directly saving to the database? Not sure that's a good practice.

upvoted 0 times

...

Jerry

2 months ago

Using the getter function is a solid choice too, though!

upvoted 0 times

...

Merri

2 months ago

Wait, can you really use the Handle method like that? Sounds risky.

upvoted 0 times

...

Filiberto

3 months ago

Totally agree, artifacts make it easier to manage data.

upvoted 0 times

...

Lavonne

3 months ago

I think option C is the best way to go!

upvoted 0 times

...

Romana

3 months ago

Creating artifacts sounds familiar, and I think it allows for better organization of data across playbooks.

upvoted 0 times

...

Brett

3 months ago

I feel like calling the child playbooks getter function could work, but it seems a bit less modular than other options.

upvoted 0 times

...

Mitsue

4 months ago

I remember practicing a question about using the Handle method, but I can't recall if it was specifically for data sharing.

upvoted 0 times

...

Audry

4 months ago

I think using artifacts to share data between playbooks is a good approach, but I'm not entirely sure if that's the best practice here.

upvoted 0 times

...

Mireya

4 months ago

Ah, I see now. Option C is the way to go. Creating artifacts and sharing them is a best practice for data sharing across playbooks. I feel confident about this one.

upvoted 0 times

...

Hannah

4 months ago

I'm not sure about the "py-postgresq1" module - that doesn't sound quite right. I'll double-check the spelling and make sure I understand that option.

upvoted 0 times

...

Alline

4 months ago

I think option C looks like the best approach here. Creating artifacts and sharing them between playbooks seems like a clean and modular way to handle data sharing.

upvoted 0 times

...