Splunk
SPLK-5001 · Question #92
SPLK-5001 Question #92: Real Exam Question with Answer & Explanation
The correct answer is D. | tstats 'summariesonly' sum(All_Risk.calculated_risk_score) as. Using tstats with the summariesonly flag against the Risk data model leverages Splunk’s accelerated data model summaries to compute the cumulative risk score by object entirely from tsidx summaries, making it far more efficient than raw‑event searches.
Question
Which SPL syntax would be used to perform statistical queries on indexed fields to calculate the cumulative total risk by the system or user in the most efficient way?
Options
- A| from datamodel:"Risk"."All Risk" | table risk_score risk_object
- Bindex=risk |stats sum(risk_score) as risk_score count by risk_object
- Cindex=* |stats sum(risk_score) as risk_score count by risk_object
- D| tstats 'summariesonly' sum(All_Risk.calculated_risk_score) as
Explanation
Using tstats with the summariesonly flag against the Risk data model leverages Splunk’s accelerated data model summaries to compute the cumulative risk score by object entirely from tsidx summaries, making it far more efficient than raw‑event searches.
Community Discussion
No community discussion yet for this question.