Splunk Core Certified User — Question 203

NOT status = 100:

Answer options

• A. Will display result depending on the data.
• B. Will return event where status field exist but value of that field is not 100.
• C. Will return event where status field exist but value of that field is not 100 and all events where status field doesn't exist.

Correct answer: C

Explanation

The correct answer, C, accurately describes that the query will return events where the status is not 100 and also includes events that lack the status field entirely. Option A is incorrect as it doesn't specify the conditions of the status field. Option B is partially correct but fails to mention events without the status field.