Splunk Infrastructure Overview — Question 11

A report named "Linux logins" populates a summary index with the search string sourcetype=linux secure | sitop src ip user. Which of the following correctly searches against the summary index for this data?

Answer options

• A. index=summary sourcetype="linux_secure" | top src_ip user
• B. index=summary search name="Linux logins" | top src ip user
• C. index=summary search_name="Linux logins" | stats count by src_ip user
• D. index=summary sourcetype="linux secure" | stats count by src_ip user

Correct answer: D

Explanation

Option D is correct because it correctly uses the sourcetype 'linux secure' to query the summary index and applies the stats function to count occurrences by src_ip and user. Option A incorrectly uses an underscore in the sourcetype, while Options B and C do not utilize the correct syntax for searching the summary index and also do not match the original report name correctly.