Splunk Observability Cloud Certified Metrics User — Question 24

Which of the following is a correct Splunk search that will return results in the most performant way?

Answer options

• A. index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host
• B. | stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host
• C. index=foo host=i-478619733 | transaction src_ip |stats count by host
• D. index=foo | transaction src_ip |stats count by host | search host=i-478619733

Correct answer: A

Explanation

Option A is the most performant because it filters by index and host first, reducing the data set before performing calculations. The other options either do not filter the data as efficiently or use the 'transaction' command, which is more resource-intensive and can slow down the search process.