Examice

Exam SPLK-1002 All QuestionsBrowse all questions from this exam

Go to Exam

Question 39

What other syntax will produce exactly the same results as | chart count over vendor_action by user?

| chart count by vendor_action, user

| chart count over vendor_action, user

| chart count by vendor_action over user

| chart count over user by vendor_action

Correct Answer: A

The syntax '| chart count by vendor_action, user' will produce exactly the same results as '| chart count over vendor_action by user'. Both expressions will generate a chart counting the events grouped by 'vendor_action' and then 'user'. 'By' indicates grouping fields in sequence, which matches the intended operation specified.

Discussion

kbishtOption: A

A is the correct ans

sid2051Option: A

A is the correct answer it will produce exactly the same chart

allansidOption: A

answer A

emlchOption: A

Equivalent expressions: by <field>, <field2> over <field> by <field2>

BengieQuesadaOption: A

A is correct, reference F2 page 52

robotn1kOption: A

A is the correct answer Chart syntax is: over = [row-split] by = [column-split] By default, the first field name after the chart command is the [row-split] and the second is [column-split], so B would be the same as the example in the question https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Chart

HarrysaOption: A

A is correct, "over" is used for time-based aggregation, while "by" is used for field-based aggregation.

nupacniyiveliOption: A

A is correct

LalithadeviOption: A

A is correct

okseyOption: B

I think B is correct

Sartarus

B it's not possible