Splunk Enterprise Security Certified Analyst — Question 70

Which of the following is the most efficient search?

Answer options

• A. index=www status=200 uri=/cart/checkout | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id
• B. (index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id
• C. index=www | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id
• D. (index=www) OR (index=sales) | search (index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum (revenue) as total_revenue by session_id | table total_revenue session_id

Correct answer: B

Explanation

Option B is the most efficient because it combines the searches for both indexes directly within the stats command, reducing the overall amount of data processed. The other options either use append, which is less efficient, or include unnecessary searches that complicate the query and could lead to performance issues.