A report named "Linux logins" populates a summary index with the search string sourcetype=linux secure | sitop src ip user. Which of the following correctly searches against the summary index for this data?
A report named "Linux logins" populates a summary index with the search string sourcetype=linux secure | sitop src ip user. Which of the following correctly searches against the summary index for this data?
The correct approach to search the summary index for the data is to use the name of the report that populates it. The search should therefore include the report name, which is 'Linux logins', and use the 'top' command as indicated in the original search string. The correct syntax that includes these elements is 'index=summary search name='Linux logins' | top src ip user', as this filters correctly on the specified summary index and search criteria.
Please ignore my previous comment, It is B. It also states it needs to be filtered by the top IP user.
B is the correct answer. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sitop
It is C. I have verified it by myself.
Correct answer is C. The name of the report should be the value for the field search_name. See Splunk Fundamentals 3 slide 220.
the same slide deck you mention shows the answer at page 225. if you're using | sitop to create an summary you would search | top