Splunk Enterprise Certified Architect — Question 12

What is a recommended way to improve search performance?

Answer options

• A. Leverage the NOT expression to limit returned results.
• B. Filter as much as possible in the initial search.
• C. Use the shortest query possible.
• D. Use non-streaming commands as early as possible.

Correct answer: B

Explanation

The correct answer is B, as filtering early in the search process reduces the amount of data to process, leading to faster results. Option A may limit results but does not inherently improve performance. Option C may lead to missing relevant data, and option D can delay processing since non-streaming commands typically wait for all data before returning results.