Splunk Observability Cloud Certified Metrics User — Question 41

An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

Answer options

• A. index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
• B. index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
• C. index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
• D. index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip | sort -failed_attempts

Correct answer: C

Explanation

The correct answer is C because the 'stats' command is specifically designed to generate aggregate statistics, such as counts, grouped by a specified field (in this case, src_ip). Options A and B incorrectly utilize 'eval' and 'transaction', which do not produce the desired count of failed attempts, while option D uses 'sum', which is not appropriate in this context for counting distinct events.