Splunk Core Certified Power User — Question 80

Consider the following search run over a time range of last 7 days:

index=web sourcetype=access_combined | timechart avg(bytes) by product_name

Which option is used to change the default time span so that results are grouped into 12 hour intervals?

Answer options

• A. timespan=12
• B. span=12h
• C. timespan=12h
• D. span=12

Correct answer: B

Explanation

The correct answer is B, as 'span=12h' is the appropriate syntax in timechart commands to specify a time interval of 12 hours. Options A and C incorrectly use 'timespan', which is not a valid parameter for this context, while option D does not specify the unit of time, making it invalid.