Splunk Enterprise Certified Admin — Question 26

A dashboard is taking too long to load. Several searches start with the same SPL. How can the searches be optimized in this dashboard? (Select all that apply.)

Answer options

• A. Convert searches to include NOT expressions.
• B. Restrict the time range of the search as much as possible.
• C. Replace | stats command with | transaction command wherever possible.
• D. Convert the common SPL into a Global Search and convert the other searches to post-processing searches.

Correct answer: C, D

Explanation

The correct answers, C and D, suggest effective methods for optimizing searches by reducing processing overhead. Replacing | stats with | transaction can lead to more efficient aggregation of events, while using a Global Search allows reuse of common SPL, thus minimizing redundant processing. Options A and B do not directly address the optimization of the common SPL and could potentially complicate searches without guaranteeing performance improvements.