Splunk Core Certified Power User — Question 170

Which of the following can be saved as an event type?

Answer options

• A. index=server_497 sourcetype=BETA_446 code=682 | stats count by code
• B. index=server_497 sourcetype=BETA_446 code=682 [|inputlookup append=t server code.csv)
• C. index=server_497 sourcetype=BETA_446 code=682
• D. index=server_497 sourcetype=BETA_446 code=682 | stats where code > 200

Correct answer: C

Explanation

Option C is correct because it is a straightforward search query that defines the event type without any additional commands or aggregation. Options A and D include statistical functions that do not represent a single event type, while option B incorrectly tries to append a lookup table, which is not a valid way to define an event type.