The search query sourcetype=access_combined would return events from the access_combined sourcetype, which is a predefined sourcetype in Splunk that matches the access-common or access-combined Apache logging formats1. The sourcetype field is case-sensitive, so using different capitalization such as Access_Combined or ACCESS_COMBINED would not match the exact sourcetype name2. The sourcetype field is also a default field that is added by the indexer when it indexes the data, so it does not need to be enclosed in quotation marks3.
References
List of pretrained source types
Search command syntax details
Basic searches and search results
Question # 47
What is the main requirement for creating visualizations using the Splunk UI?
A.
Your search must transform event data into Excel file format first.
B.
Your search must transform event data into XML formatted data first.
C.
Your search must transform event data into statistical data tables first.
D.
Your search must transform event data into JSON formatted data first.
