Splunk Core Certified User — Question 38

Will the queries following below get the same result?
1. index=log sourcetype=error_log status !=100
2. index=log sourcetype=error_log NOT status =100

Answer options

• A. Yes
• B. No

Correct answer: B

Explanation

The correct answer is B because the first query filters out any logs with a status of 100, while the second query uses the NOT operator, which can lead to different interpretations in certain contexts. Therefore, the results of the two queries are not guaranteed to be the same.