SPLK-1002 Question #71: Real Exam Question with Answer & Explanation

The correct answer is A: index=web status=50* | chart count over host, status. This search string is not valid: index=web status=50* | chart count over host,status. This search string uses an invalid syntax for the chart command. The chart command requires one field after the over clause and optionally one field after the by clause. However, this search str

Using Transforming Commands for Visualizations

Question

Which of these search strings is NOT valid:

Options

Aindex=web status=50* | chart count over host, status
Bindex=web status=50* | chart count over host by status
Cindex=web status=50* | chart count by host, status

Explanation

This search string is not valid: index=web status=50* | chart count over host,status. This search string uses an invalid syntax for the chart command. The chart command requires one field after the over clause and optionally one field after the by clause. However, this search string has two fields after the over clause separated by a comma. This will cause a syntax error and prevent the search from running. Therefore, option A is correct, while options B and C are incorrect because they are valid search strings that use the chart command correctly.

Topics

#chart command#transforming commands#SPL syntax

Community Discussion

No community discussion yet for this question.

Full SPLK-1002 Practice Browse All SPLK-1002 Questions