Splunk Core Certified User — Question 186

What is the result of the following search?
index=myindex source=c:\mydata.txt NOT error=*

Answer options

• A. Only data where the value of the field error does not equal an asterisk (*) will be displayed.
• B. Only data that does not contain the error field will be displayed.
• C. Only data with a value in the field error will be displayed.
• D. Only data where the error field is present and does not contain a value will be displayed.

Correct answer: B

Explanation

The correct answer is B because the search command specifies 'NOT error=*', which means it will exclude any entries that have the error field populated. The other options incorrectly interpret the logic of the search, either including data that should be excluded or misrepresenting the conditions of the error field.