Splunk Exam SPLK-2003 Topic 7 Question 67 Discussion

Actual exam question for Splunk's SPLK-2003 exam

Question #: 67
Topic #: 7

[All SPLK-2003 Questions]

A new project requires event data from SOAR to be sent to an external system via REST. All events with the label notable that are in new status should be sent. Which of the following REST Django expressions will select the correct events?

AOption A

BOption B

COption C

DOption D

Show Suggested Answer

Suggested Answer: C

The correct REST Django expression to retrieve events with the label 'notable' that are in the 'new' status is using the container endpoint, as containers are used to store events and associated data in Splunk SOAR. The expression correctly filters the events by label (_filter_label='notable') and status (_filter_status='new'), ensuring only notable events that are still in the 'new' status are selected.

A and D reference the wrong endpoints (event and notable respectively), which do not align with the container-based model used in Splunk SOAR for storing and filtering events.

B is incorrect due to the use of _filter_name instead of _filter_label, which is not a valid filter in this context.

Splunk SOAR Documentation: REST API Endpoints.

Splunk SOAR Developer Guide: Using Django REST for Filtering.

by Elizabeth at Jul 07, 2025, 06:05 PM

Limited Time Offer

25%

11 days ago

I think the correct REST Django expression is Option A.

upvoted 0 times

...