Splunk Infrastructure Overview — Question 2

What qualifies a report for acceleration?

Answer options

• A. Fewer than 100k events in search results, with transforming commands used in the search string.
• B. More than 100k events in search results, with only a search command in the search string.
• C. More than 100k events in the search results, with a search and transforming command used in the search string.
• D. Fewer than 100k events in search results, with only a search and transaction command used in the search string.

Correct answer: C

Explanation

Option C is correct because a report qualifies for acceleration when it contains more than 100k events and includes both a search and transforming command. Options A and D are incorrect due to having fewer than 100k events, which disqualifies them. Option B is also wrong as it includes only a search command, lacking the necessary transforming command.