A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?
Trap 1: | stats count(src_ip) as unique_ips
`count` counts all events, not unique IPs.
Trap 2: | stats distinct_count(src_ip) as unique_ips
`distinct_count` is not a valid Splunk function.
Trap 3: | stats unique(src_ip) as unique_ips
`unique` is not a stats function.
- A
| stats count(src_ip) as unique_ips
Why wrong: `count` counts all events, not unique IPs.
- B
| stats distinct_count(src_ip) as unique_ips
Why wrong: `distinct_count` is not a valid Splunk function.
- C
| stats unique(src_ip) as unique_ips
Why wrong: `unique` is not a stats function.
- D
| stats dc(src_ip) as unique_ips
`dc` (distinct count) counts unique values.