A customer has written the following search:
How can the search be rewritten to maximize efficiency?
A.
B.
C.
D.
Exam SPLK-3003 All QuestionsBrowse all questions from this exam
Question 27
Correct Answer:
To maximize search efficiency in Splunk, it is crucial to filter the data as early as possible to reduce the amount of data being processed in subsequent commands. From the provided options, answer C is the correct choice. The command sequence in option C starts by filtering the data using the index, sourcetype, and customer before performing the lookup and stats operations. This ensures that only relevant data is processed, significantly enhancing efficiency. Additionally, option C arranges the commands in an optimized order by prioritizing the customer filter, applying the lookup, filtering by vip_status, aggregating data with stats, and finally displaying the required fields using the table command.
Discussion
Redtonyeah
C is right, the filter always first,
hpbdcb
must be C while it will NOT result in the same table (missing vip_status field). it must be "customer=" in the main search to limit and D won't work as vip_status is not in the stats command
spl_bonn
C is correct.
SasnycoN
Correct answer is "D"
saraque
Nop, it's C. The stats command is not defining the vip_customer field. In that case you will not see results because the search command is looking for a inexistent field.
jbabbin
Wrong forgot to put the index of sales in the question
hpbdcb
u know about default searched indexes if no index is specified?