Splunk Core Certified User — Question 188

Which of the following is the appropriately formatted SPL search?

Answer options

• A. index=security sourcetype=linux_secure (invalid OR failed) | count as "Potential Issues"
• B. index=security sourcetype=linux_secure (invalid OR failed) | stats count as "Potential Issues"
• C. index=security sourcetype=linux_secure (invalid OR failed) | count stats as "Potential Issues"
• D. index=security sourcetype=linux_secure (invalid OR failed) | stats as "Potential Issues"

Correct answer: B

Explanation

Option B is correct because it uses the 'stats' command properly to count occurrences of events, which is the intended functionality. Option A incorrectly uses 'count' without 'stats', while option C misplaces 'count stats', making it syntactically incorrect. Option D incorrectly uses 'stats' without specifying the count, which does not fulfill the search requirement.