There is a global search named `global_search` defined on a form as shown below:

Question

There is a global search named `global_search` defined on a form as shown below:
<search id=`global_search`>
<query>
index-_internal source-*splunkd.log | stats count by component, log_level
</query>
</search>
Which of the following would be a valid post-processing search? (Select all that apply.)

Accepted Answer

Correct answer: C, D. C. stats sum(count) AS count by log level — D. search log_level=error | stats sum(count) AS count by component — Options C and D are valid post-processing searches as they build on the results of the initial global search and aggregate the data further. Option A is not appropriate because it does not reference the previous search's results. Option B is also invalid because it lacks aggregation and does not provide meaningful post-processing of the data.

Splunk Enterprise Certified Admin — Question 5

Answer options

Correct answer: C, D

Explanation