Splunk Core Certified User — Question 12

Which search would return events from the access_combined sourcetype?

Answer options

• A. Sourcetype=access_combined
• B. Sourcetype=Access_Combined
• C. sourcetype=Access_Combined
• D. SOURCETYPE=access_combined

Correct answer: C

Explanation

The correct answer is C because the search term must be case-sensitive, and 'sourcetype' must be in lowercase. Options A and D do not match the required case for 'sourcetype', while option B has 'Access_Combined' which is also incorrect due to incorrect casing.