To retrieve the last three Splunk events using a CLI query, the correct command is '!search using=splunk_instance_1 query="* | head 3"'. The 'head' command is used in Splunk to return the first number of specified results in a search, but when ordering results in descending order by time, it will effectively retrieve the most recent events.