Splunk Observability Cloud Certified Metrics User — Question 8

An analyst is looking for known C2 communication in a few billion NetFlow records, using a query similar to the following:

index=network sourcetype=netflow src_ip=149.151.100.4 src_port=908 protocol=ip

This query works, but due to the sheer size of the index, it is very slow. Which of the following SPL commands might the analyst use when rewriting their SPL to speed up the search?

Answer options

• A. table
• B. tstats
• C. accelerate
• D. lookup

Correct answer: B

Explanation

The correct answer is B, as the tstats command is designed to efficiently retrieve and summarize data from indexed fields, which can significantly speed up searches over large datasets. Options A, C, and D do not inherently improve search performance in the same way; 'table' formats data without optimizing search speed, 'accelerate' is related to data models, and 'lookup' is used for enriching events rather than speeding up search queries.