Palo Alto Networks System Engineer – Cortex — Question 39

Which command-line interface (CLI) query would retrieve the last three Splunk events?

Answer options

• A. !search using=splunk_instance_1 query="* | last 3"
• B. !search using=splunk_instance_1 query="* | 3"
• C. !query using=splunk_instance_1 query="* | last 3"
• D. !search using=splunk_instance_1 query="* | head 3"

Correct answer: D

Explanation

The correct answer is D, as the 'head' command retrieves the first n events, which in this case is the last three events from the dataset. Option A incorrectly uses 'last' which is not a valid function in this context, while option B is invalid syntax, and option C uses 'query' instead of 'search', making it incorrect.