There is a global search named `global_search` defined on a form as shown below:
index-_internal source-*splunkd.log | stats count by component, log_level
Which of the following would be a valid post-processing search? (Select all that apply.)
There is a global search named `global_search` defined on a form as shown below:
index-_internal source-*splunkd.log | stats count by component, log_level
Which of the following would be a valid post-processing search? (Select all that apply.)
A valid post-processing search in Splunk takes the result of the initial search and refines it further or calculates additional statistics. The command '| tstats count' (option A) is not valid as a post-processing search because the 'tstats' command cannot be used following a 'stats' command. The command 'sourcetype=mysourcetype' (option B) is also not valid because it does not refine or perform any additional calculations on the results of the initial search. The commands 'stats sum(count) AS count by log level' (option C) and 'search log_level=error | stats sum(count) AS count by component' (option D) are appropriate because they both refine the initial search results and perform further statistical calculations.
Only D is the correct answer. Letter C do not have underscore in the log level field.
This is the way
It's CD.
Answer is ACD. Tstats is also valid function
Sorry, answer CD is right. The tstats command can't be used after stats command