Refer to the exhibit. The timechart returns only partial results for some sourcetypes, and there are gaps in the timeline. Which is the most likely reason?
summariesonly=t restricts tstats to precomputed summaries; if the summary is incomplete, results will have gaps.
Why this answer
The `tstats` command in Splunk operates on indexed-time summary data stored in the tsidx files, not on raw events. This summary data is generated during indexing based on the data model acceleration or summary indexing configuration, and it may not cover all time ranges if the acceleration has not been built for those periods or if the data model is not fully accelerated. As a result, `tstats` can return partial results and gaps in the timeline, especially when the time range extends beyond the accelerated data coverage.
Exam trap
Splunk often tests the misconception that `tstats` behaves like `search` or `stats` and can access all raw events, but the trap here is that candidates overlook the fact that `tstats` is limited to summary data and may not cover all time ranges if acceleration is incomplete or not configured.
How to eliminate wrong answers
Option A is wrong because the `timechart span=1h` does not conflict with the `tstats span`; `tstats` does not have a `span` argument — it uses the `_time` field and the `timechart` command applies its own binning after `tstats` returns results, so no conflict exists. Option C is wrong because the `sourcetype` field is a default indexed field that is always summarized in the tsidx files, so it is available for `tstats` to use. Option D is wrong because the `where` clause in the exhibit is syntactically valid (e.g., `where sourcetype=access_*` is a valid pattern match), and there is no indication of an invalid syntax or runtime error.