Exam SPLK-1001 All QuestionsBrowse all questions from this exam
Go to Exam
Question 166

Will the queries following below get the same result?

1. index=log sourcetype=error_log status !=100

2. index=log sourcetype=error_log NOT status =100

    Correct Answer: B

    No, the queries will not get the same result. The != operator filters out events where the specified field equals the given value, only if the field exists in the event. Conversely, the NOT operator excludes events that either do not contain the field or where the field equals the given value. This means that the second query will exclude more events, covering cases where the status field might not be present at all.

Discussion
reyangeloOption: B

Answer is No. I can run a query to search httpCode!=200 and get no results (most likely 200's which is good). I rerun as NOT httpCode=200 and get a couple events rendering no httpCode but instead a loglevel. Odd but think it is the reason help view any events which are not registering a particular field. Again, just a thought on reason this should be "No".

LeandroJOption: A

Hello I'm Leandro from Argentina, i think the answer could be YES! • Does != and NOT ever yield the same results? – Yes, if you know the field you’re evaluating always exists in the data you’re searching – For example:  index=web sourcetype=access_combined status!=200  index=web sourcetype=access_combined NOT status=200 yields same results because status field always exists in access_combined sourcetype

gcalcaterra

Yes, the question should be if always it will bring the same set of results...

NanilaOption: A

They will give the same results. != (Means not equal to)

celticspike

While != does mean not equal to, the answer here is NO. error_log status !=100 will return events that have the field error_log status but exclude events where the field value is 100. on the other hand error_log NOT status =100 would potentially return events that do mention error_log but not error_log status

ja5656Option: B

B is correct.Query No.2 also returns events that do not include the status field.

TeeCeePOption: A

If we know for sure the error_log has the status field, then YES. If we do not know, then NO. We need for data for this question.