A medium-sized company uses Splunk to monitor its e-commerce platform. The platform generates around 10 million events per day from web servers, application logs, and databases. The security team wants to identify the top 10 IP addresses that trigger the most 403 Forbidden errors in the last 24 hours. However, when they run the search: index=ecom sourcetype=web status=403 | top src_ip, the search takes over 5 minutes to complete and sometimes times out. The team needs a faster approach that still accurately identifies the top IPs. The team's Splunk environment uses indexers and a search head. The data is not accelerated. What should the team do to improve search performance?
Acceleration pre-computes results, so on-demand searches are fast.
Why this answer
Option D is correct because report acceleration or summary indexing pre-computes and stores the results of the search, allowing subsequent runs to retrieve the aggregated data almost instantly. Given the environment has indexers and a search head but no acceleration, enabling report acceleration on the search creates a summary that updates periodically, bypassing the need to scan all raw events each time. This directly addresses the timeout issue by reducing the per-search data volume to the pre-built summary.
Exam trap
The trap here is that candidates often think minor command changes (like using 'stats' instead of 'top' or adding 'fields') will significantly improve performance, when in reality the bottleneck is the full scan of 10 million events, which only data aggregation techniques like summary indexing or report acceleration can solve.
How to eliminate wrong answers
Option A is wrong because 'rare' finds the least common values, not the top IPs, and would still process the same volume of data, so it does not improve performance. Option B is wrong because while 'stats count by src_ip | sort - count | head 10' is functionally equivalent to 'top', it still requires scanning all events in the time range and does not reduce the data processing load; the performance gain is negligible. Option C is wrong because 'fields src_ip' only removes other fields from the results after the events are already retrieved and processed, so it does not reduce the amount of data scanned or the search time.