Splunk Observability Cloud Certified Metrics User — Question 40

When threat hunting for outliers in Splunk, which of the following SPL pipelines would filter for users with over a thousand occurrences?

Answer options

• A. | sort by user | where count > 1000
• B. | stats count by user | where count > 1000 | sort - count
• C. | top user
• D. | stats count(user) | sort - count | where count > 1000

Correct answer: B

Explanation

The correct option B uses the 'stats' command to count occurrences per user and applies a filter to only keep those with counts exceeding 1000, followed by sorting. Option A incorrectly attempts to filter before counting, which would not yield the desired results. Option C does not provide a count threshold and simply lists the top users, while option D filters after sorting, which is not as efficient as option B.