Splunk Certified Developer Flashcards

Question 1

Q

Suppose the following query in a Simple XML dashboard returns a table including hyperlinks:

index news sourcetype web_proxy | table sourcetype title link

Which of the following is a valid dynamic drilldown element to allow a user of the dashboard to visit the hyperlinks contained in the link field?

A. $row.link$

B. $$row.link$$

C. $row.link|n$

D. http://localhost:8000/debug/refresh

Answer

A

C. $row.link|n$

Question 2

Q

When updating a knowledge object via REST, which of the following are valid values for the sharing Access Control List property?

A. App

B. User

C. Global

D. Nobody

Question 3

Q

Which of the following are ways to get a list of search jobs? (Select all that apply.)

A. Access Activity > Jobs with Splunk Web.

B. Use Splunk REST to query the /services/search/jobs endpoint.

C. Use Splunk REST to query the /services/saved/searches endpoint.

D. Use Splunk REST to query the /services/search/sid/results endpoint.

Answer

A

A. Access Activity > Jobs with Splunk Web.

B. Use Splunk REST to query the /services/search/jobs endpoint.

Question 4

Q

Which of the following are benefits from using Simple XML Extensions? (Select all that apply.)

A. Add custom layouts.

B. Add custom graphics.

C. Add custom behaviors.

D. Limit Splunk license consumption based on host.

Answer

A

A. Add custom layouts.

B. Add custom graphics.

C. Add custom behaviors.

Question 5

Q

How can indexer acknowledgement be enabled for HTTP Event Collector (HEC)? (Select all that apply.)

A. No need to do anything, it is turned on by default.

B. When a REST request is sent to create a token, the property for indexer acknowledgement must be set to 1.

C. When a new HEC token is created in Splunk Web, select the checkbox labeled ג€Enable indexer acknowledgementג€.

D. When the Global Settings for HEC are updated in Splunk Web, select the checkbox labeled ג€Enable indexer acknowledgementג€.

Answer

A

——> C is specified in the manual
C. When a new HEC token is created in Splunk Web, select the checkbox labeled ג€Enable indexer acknowledgementג€.

D. When the Global Settings for HEC are updated in Splunk Web, select the checkbox labeled ג€Enable indexer acknowledgementג€.

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/UsetheHTTPEventCollector

Question 6

Q

After updating a dashboard in myApp, a Splunk admin moves myApp to a different Splunk instance. After logging in to the new instance, the dashboard is not seen. What could have happened? (Select all that apply.)

A. The dashboardג€™s permissions were set to private.

B. User role permissions are different on the new instance.

C. The admin deleted the myApp/local directory before packaging.

D. Changes were placed in: $SPLUNK_HOME/etc/apps/search/default/data/ui/nav

Answer

A

A. The dashboardג€™s permissions were set to private.

B. User role permissions are different on the new instance.

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Viz/DashboardPermissions

Question 7

Q

Which of the following statements define a namespace?

A. The namespace is a combination of the user and the app.

B. The namespace is a combination of the user, the app, and the role.

C. The namespace is a combination of the user, the app, the role, and the sharing level.

D. The namespace is a combination of the user, the app, the role, the sharing level, and the permissions.

Answer

A

A. The namespace is a combination of the user and the app.

Research!!!

Question 8

Q

Which of the following are characteristics of an add-on? (Select all that apply.)

A. Requires navigation file.

B. Occupies a unique namespace within Splunk.

C. Can depend on add-ons for correct operation.

D. Contains technology or components not intended for reuse by other apps.

Answer

A

C. Can depend on add-ons for correct operation.

Research!!!!

Question 9

Q

Which of the following statements describe oneshot searches? (Select all that apply.)

A. Are always executed asynchronously.

B. Can specify csv as an output format.

C. Stream all results upon search
completion.

D. Can use auto_cancel to set a timeout limit.

Answer

A

B. Can specify csv as an output format.
C. Stream all results upon search completion.

Question 10

Q

Which of the following options would be the best way to identify processor bottlenecks of a search?

A. Using the REST API.

B. Using the search job inspector.

C. Using the Splunk Monitoring Console.

D. Searching the Splunk logs using index=ג€ internalג€.

Answer

A

C. Using the Splunk Monitoring Console.

https://www.splunk.com/pdfs/technical-briefs/disk-diagnosis-digging-deep-with-monitoring-console-and-more.pdf

Question 11

Q

Which of the following is true of a namespace?

A. The namespace is a type of token filter.

B. The namespace includes an app attribute which cannot be a wildcard.

C. The namespace filters the knowledge objects returned by the REST API.

D. The namespace does not filter knowledge objects returned by the REST API.

Answer

A

D. The namespace does not filter knowledge objects returned by the REST API.

Question 12

Q

What must be done when calling the serviceNS endpoint?

A. Authenticate with an admin user.

B. Specify the user and app context in the URI.

C. Authenticate with the user of the required context.

D. Pass the user and app context in the request payload.

Answer

A

B. Specify the user and app context in the URI.

https://docs.splunk.com/Documentation/Splunk/8.1.2/RESTUM/RESTusing

Question 13

Q

Assuming permissions are set appropriately, which REST endpoint path can be used by someone with a power user role to access information about mySearch, a saved search owned by someone with a user role?

A. /servicesNS/-/data/saved/searches/mySearch

B. /servicesNS/object/saved/searches/mySearch

C. /servicesNS/search/saved/searches/mySearch

D. /servicesNS/-/search/saved/searches/mySearch

Answer

A

D. /servicesNS/-/search/saved/searches/mySearch

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/RESTUM/RESTusing

Research!!!!

Question 14

Q

Using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in which directory?

A. $SPLUNK_HOME/etc/apps/myApp/local

B. $SPLUNK_HOME/etc/system/default/

C. $SPLUNK_HOME/etc/system/local

D. $SPLUNK_HOME/etc/apps/myApp/default

Answer

A

A. $SPLUNK_HOME/etc/apps/myApp/local

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Howtoeditaconfigurationfile

Question 15

Q

What application security best practices should be adhered to while developing an app for Splunk? (Select all that apply.)

A. Review the OWASP Top Ten List.

B. Store passwords in clear text in .conf files.

C. Review the OWASP Secure Coding Practices Quick Reference Guide.

D. Ensure that third-party libraries that the app depends on have no outstanding CVE vulnerabilities.

Answer

A

A. Review the OWASP Top Ten List.

C. Review the OWASP Secure Coding Practices Quick Reference Guide.

D. Ensure that third-party libraries that the app depends on have no outstanding CVE vulnerabilities.

Question 16

Q

There is a global search named global_search defined on a form as shown below:

index-_internal source-*splunkd.log | stats count by component, log_level

Which of the following would be a valid post-processing search? (Select all that apply.)

A. | tstats count

B. sourcetype=mysourcetype

C. stats sum(count) AS count by log level

D. search log_level=error | stats sum(count) AS count by component

Answer

A

C. stats sum(count) AS count by log level

D. search log_level=error | stats sum(count) AS count by component

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Viz/Savedsearches

Question 17

Q

In order to successfully accelerate a report, which criteria must the search meet? (Select all that apply.)

A. Cannot use event sampling.

B. Use a transforming command.

C. Use a standard Splunk visualization.

D. Commands before the first transforming command must be streamable.

Answer

A

A. Cannot use event sampling.

B. Use a transforming command.

D. Commands before the first transforming command must be streamable.

Reference:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/Manageacceleratedsearchsummaries

Correct 100%

Question 18

Q

Which statements are true regarding HEC (HTTP Event Collector) tokens? (Select all that apply.)

A. Multiple tokens can be created for use with different sourcetypes and indexes.

B. The edit token http admin role capability is required to create a token.

C. To create a token, send a POST request to services/collector endpoint.

D. Tokens can be edited using the data/inputs/http/{tokenName} endpoint.

Answer

A

A. Multiple tokens can be created for use with different sourcetypes and indexes.

D. Tokens can be edited using the data/inputs/http/{tokenName} endpoint.

Seems Rights

Question 19

Q

Which type of command is tstats?

A. Generating

B. Transforming

C. Centralized streaming

D. Distributable streaming

Answer

A

A. Generating

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Commandsbytype#Transforming_commands

Question 20

Q

Which of the following is an example of a Splunk KV store use case? (Select all that apply.)

A. Stores checkpoint data for modular inputs.

B. Tracks workflow in an incident-review system.

C. Indexes metrics data from remote HTTP sources.

D. Stores application state as a user interacts with an app.

Answer

A

A. Stores checkpoint data for modular inputs.

B. Tracks workflow in an incident-review system.

D. Stores application state as a user interacts with an app.

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/

%100 correct

Question 21

Q

How can hiding or showing a panel by clicking on a chart or a table on the same form be performed?

A. By using vent drilldown.

B. By using workflow action.

C. By using contextual drilldown.

D. By using visualization drilldown.

Answer

A

D. By using visualization drilldown.

Question 22

Q

Given the following two files defining app navigation, which navigation options will be displayed to the end user? (Select all that apply.)
$SPLUNK_HOME/etc/apps/app_name/default/data/ui/nav/default.xml

$SPLUNK_HOME/etc/apps/app_name/local/data/ui/nav/default/xml

A. Search

B. Reports

C. Datasets

D. Dashboards

Answer

A

A. Search

C. Datasets

D. Dashboards

Question 23

Q

Which of the following is an example of a valid syntax for specifying an absolute time range modifier in a search?

A. earliest=01/01/2019:00:00:00

B. earliest=01/01/2019T00:00:00

C. earliest=2019-01-01 00:00:00

D. earliest=2019-01-01T00:00:00

Answer

A

A. earliest=01/01/2019:00:00:00

https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/Specifytimemodifiersinyoursearch

Question 24

Q

Which of the following are true of auto-refresh for dashboard panels? (Select all that apply.)

A. Applies to inline searches and saved searches.

B. Enabling auto-refresh for a report requires editing XML.

C. Post-processing searches are refreshed when their base searches are refreshed.

D. Each post-processing search using the same base search can have a different refresh time.

Answer

A

A. Applies to inline searches and saved searches.

B. Enabling auto-refresh for a report requires editing XML.

D. Each post-processing search using the same base search can have a different refresh time.

Question 25

Q

When added to an app’s default.meta file, which of the following makes one of its views available to other apps?

A. export = app

B. export = none

C. export = view

D. export = system

Answer

A

D. export = system

https://dev.splunk.com/enterprise/tutorials/module_getstarted/setpermissions/

Question 26

Q

When output_mode is not used, which element of a feed is a human readable name for a returned entry?

A. Author

B. Title

C. Link

D. Id

Answer

A

B. Title

https://docs.splunk.com/Documentation/Splunk/8.1.2/RESTUM/RESTusing

Question 27

Q

Which Splunk REST endpoint is used to create a KV store collection?

A. /storage/collections

B. /storage/kvstore/create

C. /storage/collections/config

D. /storage/kvstore/collections

Answer

A

C. /storage/collections/config

A new collection is creted via POST method and endpoint /storage/collections/config

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usetherestapitomanagekv/

Question 28

Q

A KV store collection can be associated with a namespace for which of the following users?

A. Nobody

B. Users in the admin role.

C. Users in the admin and power roles.

D. Users in the admin, power, and splunk-system-user roles.

Answer

A

A. Nobody

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usetherestapitomanagekv/

Question 29

Q

Which of the following are types of event handlers? (Select all that apply.)

A. Search

B. Set token

C. Form input

D. Visualization

Answer

A

A. Search

C. Form input

D. Visualization

Question 30

Q

Which of the following describes a Splunk custom visualization?

A. A visualization with custom colors.

B. Any visualization available in Splunk.

C. A visualization in Splunk modified by the user.

D. A visualization that uses the Splunk Custom Visualization API.

Answer

A

D. A visualization that uses the Splunk Custom Visualization API.

Question 31

Q

Searching index=_internal metrics | head 3 from Splunk Web returned the following events:
04-12-2018 18:39:43.514 +0200 INFO Metrics " group=thruput, name=thruput, instantaneous\_kbps=0.9651774014563425, instantaneous\_eps=5.645638802094809, average\_kbps=1.198995639527069, total\_k\_processed=2676, kb=29.91796875, ev=175, load\_average=3.85888671875 04-12-2018 18:39:43.514 +0200 INFO Metrics” group_thruput, name_syslog_output, instantaneous_kbps=0, instantaneous_eps_0, average_kbps=0, total_k_processed=0, kb=0, ev=0
04-12-2018 18:39:43.513 +0200 INFO Metrics `” group_thruput, name_index_thruput, instantaneous_kbps=0.9651773703189551, instantaneous_eps=4.87137960922438, average_kbps=1.1985932324065556, total_k_processed=2675, kb=29.91796875, ev=151
When the same search is required from a REST API call, which fields will be given? (Select all that apply.)

A. _raw

B. name

C. sourcetype

D. instantaneous_kbps

Answer

A

A. _raw

C. sourcetype

Question 32

Q

Which of the following are reserved field names in a KV Store? (Select all that apply.)

A. _key

B. _time

C. _user

D. _source

Answer

A

A. _key

C. _user

Question 33

Q

Which of the following endpoints is used to authenticate with the Splunk REST API?

A. /services/auth/login

B. /services/session/login

C. /services/auth/session/login

D. /servicesNS/authentication/login

Answer

A

A. /services/auth/login

Question 34

Q

Which of these URLs could be used to construct a REST request to search the employee KV store collection to find records with a rating greater than or equal to
2 and less than 5?
A. ג€˜http://localhost:8089/servicesNS/nobody/search/storage/collections/data/employees?query={$and:[{rating:{$gte:2}}, {rating:{$lt:5}}]}&output_mode-jsonג€™

B. ג€˜http://localhost:8089/servicesNS/nobody/search/storage/collections/data/employees?query={$and:[{rating:$gte:2}}, {rating:{$lt:5}}]}&output_mode=jsonג€™

C. ג€˜http://localhost:8089/servicesNS/nobody/search/storage/collections/data/employees?query={%22rating%22:{%22$gte% 22:2}},{%22$and%22},{%22rating%22:{%22$lt%22:5}}}&output_mode=jsonג€™

D. ג€˜http://localhost:8089/servicesNS/nobody/search/storage/collections/data/employees?query={%22$and%22:[{%22rating%22: {%22$gte%22:2}},{%22rating%22:{%22$lt%22:5}}]}&output_mode=jsonג€™

Answer

A

D. ג€˜http://localhost:8089/servicesNS/nobody/search/storage/collections/data/employees?query={%22$and%22:[{%22rating%22: {%22$gte%22:2}},{%22rating%22:{%22$lt%22:5}}]}&output_mode=jsonג€™

*guessing

Question 35

Q

Which of the following log files contains logs that are most relevant to Splunk Web?

A. audit.log

B. metrics.log

C. splunkd.log

D. web_service.log

Answer

A

D. web_service.log

Question 36

Q

Which of the following are requirements for arguments sent to the data/indexes endpoint? (Select all that apply.)

A. Be url-encoded.

B. Specify the datatype.

C. Include the bucket path.

D. Include the name argument.

Answer

A

D. Include the name argument.

Question 37

Q

Which of the following are valid request arguments for the REST search endpoints? (Select all that apply.)

A. latest_time=rt

B. latest_time=now

C. earliest_time=-5h@h

D. earliest_time=rt_10m@m

Answer

A

B. latest_time=now

C. earliest_time=-5h@h

Question 38

Q

Consider the following Python code snippet used in a Splunk add-on:

if not os.path.exists(full_path):
self.doAction(full_path, header)
else:
f = open(full_path)
oldORnew = f.readline().split(,)
f.close()

An attacker could create a denial of service by causing an error in either the open() or readline() commands. What type of vulnerability is this?

A. CWE-693: Protection Mechanism Failure

B. CWE-562: Return of Stack Variable Address

C. CWE-404: Improper Resource Shutdown or Release

D. CWE-636: Not Failing Securely (ג€˜Failing Openג€™)

Answer

A

C. CWE-404: Improper Resource Shutdown or Release

Question 39

Q

Which of the following formats are valid for a Splunk REST URI?

A. host:port/endpoint

B. scheme://host/servicesNS/*/

C. $SPLUNK HOME/services/endpoint

D. scheme://host:port/services/endpoint

Answer

A

D. scheme://host:port/services/endpoint

Question 40

Q

Which HTTP Event Collector (HEC) endpoint should be used to collect data in the following format?
{message:Hello World, foo:bar, pony:buttercup}

A. data/inputs/http/{name}

B. services/collector/raw

C. services/collector

D. data/inputs/http

Answer

A

B. services/collector/raw

* not that in the exam if they use double quotes, that means it’s a JSON so the correct answer would be:

C. services/collector

Question 41

Q

The response message from a successful Splunk REST call includes an element. What is contained in an element?

A. A dictionary of elements.

B. Metadata encapsulating the element.

C. A response code indicating success or failure.

D. An individual element in an collection.

Answer

A

B. Metadata encapsulating the element.

Question 42

Q

A user wants to add the token $token_name$ to a dashboard for use in a drilldown. Which token filter encodes URL values?

A. $$token_name$$

B. $token_name|h$

C. $token_name|n$

D. $token_name|u$

Answer

A

D. $token_name|u$

Question 43

Q

Which of the following is a security best practice?

A. Enable XSS.

B. Eliminate all escape characters.

C. Ensure the app passes App Certification.

D. Ensure components have no Common Vulnerabilities and Exposures (CVE) vulnerabilities.

Answer

A

D. Ensure components have no Common Vulnerabilities and Exposures (CVE) vulnerabilities.

Question 44

Q

Which event handler uses the element to support pan and zoom functionality?

A. Visualization event handler

B. Form input event handler

C. Condition event handler

D. Search event handler

Answer

A

A. Visualization event handler

Question 45

Q

What predefined drilldown tokens are available specifically for trellis layouts? (Select all that apply.)

A. trellis.Xaxis

B. trellis.Yaxis

C. trellis.name

D. trellis.value

Answer

A

C. trellis.name

D. trellis.value

Question 46

Q

How can event logs be collected from a remote Windows machine using a standard Splunk installation and no customization? (Select all that apply.)

A. By configuring a WMI input.

B. By using HTTP event collector.

C. By using a Windows heavy forwarder.

D. By using a Windows universal forwarder.

Answer

A

A. By configuring a WMI input.

D. By using a Windows universal forwarder.

Question 47

Q

To delete the record with a _key value of smith from the sales collection, a DELETE request should be sent to which REST endpoint?

A. /storage/collections/sales/smith

B. /storage/kvstore/data/sales/smith

C. /storage/collections/data/sales/smith

D. /storage/kvstore/collections/sales/smith

Answer

A

C. /storage/collections/data/sales/smith

Question 48

Q

Log files related to Splunk REST calls can be found in which indexes? (Select all that apply.)

A. _audit

B. _internal

C. _thefishbucket

D. _blocksignature

Answer

A

A. _audit

B. _internal

Question 49

Q

A fellow Splunk administrator is reviewing an app that has been downloaded from splunkbase and deployed in an organization. The admin has e-mailed the following configuration snippet with a brief note that says fix the permissions.
In what configuration file should the snippet be placed?
[]
access = read : [*], write : [admin]
export - system
(Assume that $APP_HOME refers to the path that the app is installed, e.g. $SPLUNK_HOME/etc/apps/)

A. $APP_HOME/default/app.conf

B. $APP_HOME/local/default.meta

C. $APP_HOME/metadata/local.meta

D. $SPLUNK_HOME/etc/system/local/server.conf

Answer

A

C. $APP_HOME/metadata/local.meta

Question 50

Q

Which of the following are security best practices for Splunk app development? (Select all that apply.)

A. Store passwords in clear text in .conf files.

B. Implement security in software development lifecycle.

C. Manually test application with the controls listed in the OWASP Security Testing Guide.

D. Use a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities.

Answer

A

B. Implement security in software development lifecycle.

C. Manually test application with the controls listed in the OWASP Security Testing Guide.

D. Use a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities.

Question 51

Q

Which items below are configured in inputs.conf? (Select all that apply.)

A. A modular input written in Python.

B. A file input monitoring a JSON file.

C. A custom search command written in Python.

D. An HTTP Event Collector as receiver of data from an app.

Answer

A

A. A modular input written in Python.

B. A file input monitoring a JSON file.

D. An HTTP Event Collector as receiver of data from an app.

Question 52

Q

Which of the following statements describe an HEC token? (Select all that apply.)

A. Maps to a Splunk user.

B. Can be used to download data.

C. Is a GUID (globally unique identifier).

D. Can be created in Splunk Web or using REST endpoints.

Answer

A

C. Is a GUID (globally unique identifier).

D. Can be created in Splunk Web or using REST endpoints.

Question 53

Q

Which of the following ensures that quotation marks surround the value referenced by the token?

A. $token_name|s$

B. ג€$token_name$ג€

C. ($token_name$)

D. \ג€$token_name$\ג€

Answer

A

A. $token_name|s$

Question 54

Q

Which of the following is an intended use of HTTP Event Collector tokens?

A. A cookie.

B. An HTTP header field.

C. A JSON field in the HTTP request.

D. A password in conjunction with login.

Answer

A

D. A password in conjunction with login.

Question 55

Q

When the search/jobs REST endpoint is called to execute a search, what can be done to reduce the results size in the results? (Select all that apply.)

A. Use a generating search.

B. Remove unneeded fields.

C. Truncate the data, using selective functions.

D. Summarize data, using analytic commands.

Answer

A

B. Remove unneeded fields.

C. Truncate the data, using selective functions.

D. Summarize data, using analytic commands.

Question 56

Q

Which of the following is a customization option for the Open in Search panel link button?

A. Display the refresh time.

B. Show the Export Results button.

C. Show link buttons at the bottom of a panel.

D. Define an alternative search or target view to use.

Answer

A

D. Define an alternative search or target view to use.

Question 57

Q

In a DELETE request, what would omitting the value of _key from the REST endpoint do?

A. Clean the KV store, deleting all content.

B. Produce the syntax error ג€Key value missingג€.

C. Cause all records in a collection to be deleted.

D. Mean that the _key value must be passed as an argument.

Answer

A

C. Cause all records in a collection to be deleted.

Question 58

Q

Which of the following is a way to monitor app performance? (Select all that apply.)

A. Using Splunk logs.

B. Using the search job inspector.

C. Using the Monitoring Console.

D. Using the storage/collections/config REST endpoint.

Answer

A

A. Using Splunk logs.

C. Using the Monitoring Console.

Question 59

Q

Which files within an app contain permissions information? (Select all that apply.)

A. local/metadata.conf

B. metadata/local.meta

C. default/metadata.conf

D. metadata/default.meta

Answer

A

B. metadata/local.meta

D. metadata/default.meta

Question 60

Q

When using the Splunk Web Framework to create a global search, which is the correct post-process syntax for the base search shown below? var searchmain = new SearchManager{{ id: `base-search`, search: `index= internal | head 10 | fields `\*`, preview: true, cache: true 
}}; 
A. var mypostproc1 = new PostProcessManager {{ id: ג€post1ג€, managerid: ג€base-searchג€, search: ג€| stats count by sourcetypeג€ }};

B. var mypostproc1 = new PostProcessManager{{ id: ג€post1ג€, managerid: ג€baseג€, search: ג€| stats count by sourcetypeג€ }};

C. var mypostproc1 = new PostProcess{{ id: ג€post1ג€, managerid: ג€base-searchג€, search: ג€| search stats count by sourcetypeג€ }};

D. You cannot create global searches in the Splunk Web Framework.

Answer

A

A. var mypostproc1 = new PostProcessManager {{ id: ג€post1ג€, managerid: ג€base-searchג€, search: ג€| stats count by sourcetypeג€ }};

Question 61

Q

A dashboard is taking too long to load. Several searches start with the same SPL. How can the searches be optimized in this dashboard? (Select all that apply.)

A. Convert searches to include NOT expressions.

B. Restrict the time range of the search as much as possible.

C. Replace | stats command with | transaction command wherever possible.

D. Convert the common SPL into a Global Search and convert the other searches to post-processing searches.