Splunk Core Certified Power User — Question 139

Which of the following searches can be used to define an event type?

Answer options

• A. index=games sourcetype=score player=* score>9999
• B. index=games sourcetype=score [search index=players | fields player_id]
• C. index=games sourcetype=score | where score>9999
• D. index-games sourcetype-score | stats count by player

Correct answer: A

Explanation

Option A is the correct answer because it effectively filters events based on the player and score criteria, which can define an event type. Option B is incorrect as it uses a subsearch which does not directly define an event type. Option C is also incorrect as the use of 'where' does not meet the requirement for defining an event type as specified. Option D is invalid due to incorrect syntax with hyphens instead of equal signs.