How is a multivalue field treated from product="a, b, c, d"?
Options:
A.
... | makemv delim{product, ","}
B.
... | eval mvexpand{makemv{product, ","}}
C.
... | mvexpand product
D.
... | makemv delim="," product
Answer:
D
Explanation:
The makemv command with delim="," is used to split a multivalue field like product="a, b, c, d" into separate values, making it easier to manipulate each value individually.
Question 21
Which of these generates a summary index containing a count of events by productId?
Options:
A.
| stats count by productId
B.
| stats sum (productId)
C.
| sistats count by productId
D.
sistats summary_index by productId
Answer:
A
Explanation:
The stats count by productId command counts the number of events for each unique productId, making it the correct command for generating a summary index based on event counts.
