Splunk Core Certified User — Question 22

Which search will return the 15 least common field values for the dest_ip field?

Answer options

• A. sourcetype=firewall | rare num=15 dest_ip
• B. sourcetype=firewall | rare last=15 dest_ip
• C. sourcetype=firewall | rare count=15 dest_ip
• D. sourcetype=firewall | rare limit=15 dest_ip

Correct answer: D

Explanation

The correct answer is D because the 'limit' parameter specifies how many of the least common values to return. Options A, B, and C incorrectly use 'num', 'last', and 'count' respectively, which are not valid parameters for the 'rare' command in this context.