Splunk Core Certified Power User — Question 148

What are the expected search results from executing the following SPL command?

index=network NOT StatusCode=200

Answer options

• A. No results as the syntax is incorrect, the != field expression needs to be used instead of the NOT operator.
• B. Every event in the network index that does not contain a StatusCode of 200 and excluding events that do not have a value in this field.
• C. Every event in the network index that does not contain a StatusCode of 200, including events that do not have a value in this field.
• D. Every event in the network index that does not have a value in this field.

Correct answer: C

Explanation

The correct answer is C because the command retrieves events that do not have a StatusCode of 200, and this includes events where StatusCode is absent. Option A is incorrect due to a misunderstanding of SPL syntax, while option B fails to account for events missing a StatusCode, and option D does not consider events with a StatusCode other than 200.