Splunk Observability Cloud Certified Metrics User — Question 50
After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.
What SPL could they use to find all relevant events across either field until the field extraction is fixed?
Answer options
- A. | eval src = coalesce(src,machine_name)
- B. | eval src = src + machine_name
- C. | eval src = src . machine_name
- D. | eval src = tostring(machine_name)
Correct answer: A
Explanation
The correct answer is A because the coalesce function will return the first non-null value from the specified fields, effectively allowing the analyst to retrieve data from either src or machine_name. The other options do not achieve the same result: B adds the values, C concatenates them, and D converts machine_name to a string without addressing the issue of the empty src field.