Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSPLK-1003DomainsTransactions and Event Correlation
SPLK-1003Free — No Signup

Transactions and Event Correlation

Practice SPLK-1003 Transactions and Event Correlation questions with full explanations on every answer.

125questions

Start practicing

Transactions and Event Correlation — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SPLK-1003 Domains

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Practice Transactions and Event Correlation questions

10Q20Q30Q50Q

All SPLK-1003 Transactions and Event Correlation questions (125)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

2

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

3

A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?

4

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

5

A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?

6

Which TWO statements about the 'transaction' command are correct? (Choose two.)

7

Which THREE conditions must be met for events to be grouped into the same transaction when using the 'transaction' command without any 'startswith' or 'endswith' options? (Choose three.)

8

Refer to the exhibit. A Splunk user runs the search shown. The search returns results, but the user notices that some clientip values appear multiple times in the stats output, even though they should have been grouped into a single transaction. What is the most likely reason for this?

9

Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?

10

An analyst needs to correlate events from a web server log and an application log to identify failed login attempts followed within 5 seconds by an error event. The events share a common session ID field. Which approach should the analyst use?

11

A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?

12

A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?

13

A Splunk user wants to correlate events from different sourcetypes (web_access, app_log) that belong to the same user session identified by session_id. The events should be grouped only if they occur within 30 minutes of each other, and each transaction should contain at least one event from each sourcetype. Which SPL construct should they use?

14

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

15

Which TWO statements are true about the `transaction` command in Splunk?

16

Which THREE of the following are valid use cases for the `transaction` command in Splunk?

17

Refer to the exhibit. The search is intended to count the number of clients who made more than 3 HTTP requests within any 30-minute window. However, the results are unexpectedly high. What is the most likely reason?

18

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

19

A security team needs to correlate failed login attempts across multiple web servers to identify brute force attacks. Each server logs authentication failures with timestamps and source IPs. The team wants to create a transaction that groups failed attempts within 5 minutes from the same IP, but only if there are at least 3 failures. Which approach correctly implements this requirement?

20

A Splunk administrator notices that a `transaction` command used for correlating VPN login and logout events is consuming excessive memory and causing search timeouts. The transaction groups events by `user` with `maxspan=12h` and `maxpause=30m`. The VPN logs contain millions of events per day. Which design change would most effectively reduce resource consumption while maintaining the ability to correlate logins and logouts within the same session?

21

An analyst wants to correlate events from two different sourcetypes: `auth` logs (login events) and `app` logs (application actions). Both logs share a common `session_id` field. The analyst needs to group all events from the same session, regardless of sourcetype, with a maximum time span of 1 hour. Which search correctly uses the `transaction` command?

22

A Splunk administrator is troubleshooting a search that uses the `transaction` command. The search is taking too long to complete and returning incomplete results. Which TWO changes are most likely to improve performance and accuracy of transaction searches? (Choose TWO.)

23

A security analyst is writing a search to detect lateral movement across servers by correlating authentication events from multiple domain controllers. Each event has a `user`, `src_ip`, and `dest_ip`. The analyst wants to group events where the same user authenticates from at least 3 different source IPs within 10 minutes. Which THREE components must be part of the search to achieve this? (Choose THREE.)

24

A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads: `index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000` However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?

25

A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search: `index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200` This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?

26

A security analyst needs to correlate login events with subsequent logout events for the same user session. Which command should be used to group these events together?

27

Which TWO statements correctly describe the behavior of the transaction command in Splunk?

28

A Splunk analyst runs the above search. The results show that some transactions have a duration of 0 seconds. What is the most likely cause?

29

Order the steps to set up a data input for monitoring a log file in Splunk.

30

Order the steps to create a workflow action in Splunk.

31

Match each Splunk component to its function.

32

Match each Splunk search mode to its behavior.

33

A security analyst wants to correlate login events from multiple sources to identify a single user session. The data includes source IP, username, and timestamp. Which Splunk command is most appropriate to group these events into a single transaction based on a common field and a maximum time window?

34

A team is using the transaction command to group web server access logs into user sessions. They notice some sessions are missing because the transaction command defaults to combining events with identical field values if they occur within a default time window. What is the default maxspan value for the transaction command?

35

A Splunk admin is troubleshooting a transaction that groups firewall allow and deny events by session ID. The transaction should end when a deny event occurs for that session. Which transaction option should be used to define the end condition?

36

An analyst wants to correlate events from different sourcetypes (e.g., authentication logs and VPN logs) that share a common user field. The goal is to create a single event per user session containing all fields from both sourcetypes. Which command is best suited for this?

37

A transaction is created using the command: 'index=web status=200 OR status=404 | transaction sessionid'. The user wants to include transactions only if they contain both a 200 and a 404 status. Which additional step achieves this?

38

A Splunk search uses 'transaction' with a large dataset and causes a 'max transaction' error. What is the most likely cause and best practice to avoid it?

39

An analyst wants to group events that start with a 'login' event and end with a 'logout' event, using the username field. Which transaction syntax is correct?

40

An analyst is using the transaction command to group events by a field that has high cardinality (millions of unique values). The search is taking too long and consuming too much memory. Which approach should be taken to improve performance?

41

A transaction that groups events by field 'session_id' sometimes produces transactions that contain events from multiple distinct sessions due to session_id reuse over time. What is the best way to ensure transactions are correctly separated?

42

A Splunk search uses 'transaction' to correlate events. The transaction times out before all expected events are added. Which TWO options can be adjusted to allow more time for transaction completion? (Choose two.)

43

In a Splunk environment, an analyst is using the transaction command to group events from different sources. Which THREE factors are most important to consider when designing the transaction search for optimal performance? (Choose three.)

44

Which TWO statements about the 'transaction' command are true? (Choose two.)

45

A security team needs to group login events for the same user within a 5-minute window. Which transaction option should be used to limit the time between consecutive events?

46

A large transaction command is causing the search to run out of memory. Which approach best reduces memory usage while maintaining the transaction logic?

47

A Splunk administrator is correlating events from two sourcetypes using transaction with startswith and endswith. The transaction rarely matches events even though they exist. What is the most likely cause?

48

A financial company wants to group all events related to a single trading session. The session ID appears in all events. Which is the most efficient way to correlate these events without using transaction?

49

Which transaction option should be used to ensure that a transaction does not exceed a total duration of 10 minutes?

50

An administrator runs a transaction command that groups events by a customer ID but notices that some transactions are missing expected events. The log shows that the events are present and within the maxpause. What could be the reason?

51

Which command is best for calculating a running total of sales per customer across events without creating a multivalued field?

52

A search uses transaction to group login and logout events. What happens if a user has multiple logins before logging out?

53

A company wants to correlate events from multiple sources that share a common transaction ID. The events arrive in real time but with variable delays. Which transaction option ensures that a transaction closes after 2 minutes of inactivity?

54

Which TWO of the following are valid ways to correlate events without using the transaction command?

55

Which TWO of the following are valid reasons to use transaction instead of stats for event correlation?

56

Which THREE of the following are correct about the transaction command's default behavior?

57

Refer to the exhibit. The search returns no transactions even though there are login and logout events in the index. What is the most likely cause?

58

Refer to the exhibit. The eval command combines two fields into one. What is a potential issue with this search?

59

Refer to the exhibit. The search returns only transactions that ended with successful login. The administrator wants to see all failed login attempts that did not lead to a success. What is the most efficient approach?

60

A security analyst wants to group all events from a single web session into one transaction. The session is identified by a 'sessionId' field, and events are generated over a period that can last up to 30 minutes. The analyst also wants to close the transaction if there is no activity for more than 10 minutes. Which transaction parameters should be used?

61

An analyst needs to correlate events from two different data sources (web logs and database logs) based on a common session ID. The events occur within a short time window of 5 seconds. Which command is most appropriate?

62

A search using the transaction command is producing many partial transactions that are closed due to maxpause, but these transactions are often relevant and should not be discarded. Which option should be added to the transaction command to keep these partial results?

63

When using the transaction command to group events, which field is automatically added to the event to indicate the start time of the transaction?

64

A Splunk Power User needs to find the average duration of user sessions. The sessions are defined by a 'user_id' field and have a max inactivity of 15 minutes. Which search correctly calculates this?

65

Consider the following search: 'index=web | transaction sessionid maxspan=30m | where eventcount > 5 | stats avg(duration)'. An analyst notices that the search takes a long time and uses excessive memory. Which change would most likely improve performance?

66

A Splunk search uses 'transaction clientip maxpause=5m'. What does the maxpause setting control?

67

An analyst wants to group events from different sourcetypes (web_access and error_log) into a single transaction when they share the same 'request_id' field and occur within 1 minute. Which search correctly accomplishes this?

68

A search includes 'transaction userid maxspan=1h maxopentxn=1000'. What is the purpose of maxopentxn?

69

Which TWO fields are automatically created by the transaction command? (Select exactly 2 correct answers.)

70

Which THREE of the following are valid ways to correlate events in Splunk? (Select exactly 3 correct answers.)

71

Which THREE strategies can help reduce memory usage when using the transaction command? (Select exactly 3 correct answers.)

72

Refer to the exhibit. What is the purpose of the 'maxpause=5m' parameter in this search?

73

Refer to the exhibit. What is the purpose of this configuration?

74

Refer to the exhibit. An analyst sees that the transaction for sessionid 'abc123' has duration 120 seconds and 4 events. The events within this transaction occur at 10:00:00, 10:01:00, 10:02:00, and 10:03:00. Why did the transaction close?

75

A security analyst wants to group all authentication events (e.g., login, logout, failure) that occur within a 10-minute window for each user. The events are from multiple sources and share a common 'user' field. Which transaction command is most appropriate?

76

An analyst uses transaction to group web requests by session_id. Some transactions are unexpectedly large, containing hundreds of events. What parameter should be adjusted to limit the number of events per transaction?

77

A Splunk admin notices that a transaction search using the transaction command takes a long time and consumes high memory. The search correlates events by a high-cardinality field (IP address) across multiple indexers. Which optimization technique should be applied first?

78

An analyst wants to ensure that a transaction is only considered complete when it contains a specific end event. Which transaction parameter should be used?

79

An analyst wants to correlate events from multiple sourcetypes that have different timestamps but share a common reference ID. The events are ingested with some delay. Which parameter is crucial to ensure the transaction captures all related events despite ingestion delay?

80

A transaction search is processing too many fields. Which command should be used immediately before the transaction command to reduce memory usage?

81

An analyst wants to find transactions where the first event was a 'login' and the last event was a 'logout'. Which post-transaction filter is correct?

82

A transaction search that uses a large maxspan and high-cardinality fields is failing due to memory limitations. Which approach can best reduce memory usage without changing the transaction logic?

83

An analyst wants to group events by 'session_id' but only if the events occur within 5 minutes of each other, and there must be at least 2 events per transaction. Which transaction parameters achieve this?

84

Which two statements about the transaction command are correct? (Choose two.)

85

Which three conditions can cause a transaction to close prematurely? (Choose three.)

86

Which two techniques should be used to optimize a transaction search that is slow due to a high volume of events? (Choose two.)

87

A Splunk admin wants to group events from the same user session in web logs. Which transaction option should be used to ensure the transaction ends after 30 minutes of inactivity?

88

An analyst runs the following search to correlate login and logout events: `index=auth | transaction user startswith="LOGIN" endswith="LOGOUT"`. However, some transactions span over 24 hours. Which option should be added to limit each transaction to a maximum of 8 hours?

89

A security team notices that using `transaction` on a large dataset of firewall logs causes memory issues. Which alternative approach would most efficiently correlate events while reducing resource consumption?

90

A Splunk admin wants to group events that share a common `session_id` field. Events arrive out of order. Which transaction field will automatically sort events correctly?

91

A search includes `... | transaction 1,2,3` but returns unexpected results. What does the `1,2,3` represent in this context?

92

A company uses `transaction` to group events by `order_id`. Some orders have many events (1000+). Which option should be added to prevent a single transaction from consuming too many resources?

93

An analyst runs `sourcetype=access_combined | transaction clientip` and notices many single-event transactions. Which option would help close transactions more accurately?

94

A search uses `transaction` with wildcard fields (e.g., `*id`), causing poor performance. What is the best practice to optimize this?

95

A team wants to correlate events from different sourcetypes (web, db) on a common `sessionid`. They use `transaction sessionid` across both sourcetypes. The results show that some transactions are missing events. What is the most likely cause?

96

Which TWO options are valid parameters of the `transaction` command?

97

Which TWO conditions can cause a transaction to be evicted?

98

Which THREE statements about the `transaction` command are true?

99

Refer to the exhibit. A security analyst runs the above search. Which of the following best describes the result?

100

Refer to the exhibit. An analyst runs the above search to test transaction behavior. What is the likely result?

101

A large e-commerce company uses Splunk to analyze customer purchase funnels. Their environment includes 10 indexers and a search head cluster. They have a search that runs every 5 minutes to correlate events from web logs, order logs, and payment logs using the `transaction` command on a common `order_id` field. The search uses `transaction order_id maxevents=50 maxspan=30m`. Recently, users have reported that some orders are missing from the results, especially for high-volume periods. The team also notices that dashboard searches often timeout. They suspect the transaction command is the bottleneck. Upon examining the search, they see that the web logs alone generate hundreds of events per order. Which course of action would best address the missing orders and performance issues?

102

A security team needs to group all login events from the same user session. Events include 'login' and 'logout' with a common session_id field. Which command should be used to combine these events into a single event per session?

103

An analyst runs `transaction user_id` to correlate events from a web server. The resulting transaction events have a field 'duration' that shows the time between the first and last event. However, some transactions span over 30 minutes. What transaction option should be added to limit the maximum time between the first and last event?

104

A SOC analyst is investigating a security incident. They use `transaction src_ip` to group firewall events. The search returns too many single-event transactions. The analyst suspects that some events should be grouped but are not because the IP address is used by different sessions. Which option can help ensure events are grouped only if they occur close in time?

105

A search uses `transaction sessionId` to correlate events. However, the transaction command is consuming too much memory and the search fails. Which approach can reduce memory usage while still approximating the transaction grouping?

106

A company has events from multiple data sources that share a common 'request_id'. They want to correlate events from different sources (e.g., web, app, database) into a single transaction per request. However, the timestamps across sources are not synchronized, causing some events to appear out of order. Which approach is best to ensure correct grouping?

107

A user wants to see a single consolidated event for each user session that includes the start time, end time, and total duration. The session events have a 'action' field with values 'start' and 'end' and a common 'user_id'. Which transaction command would achieve this?

108

A search uses `transaction session_id maxspan=30m` to group events. The search returns 5000 transaction events. The analyst needs to filter out any transaction that does not contain an event with status=failure. Which post-transaction command should be used?

109

An analyst writes `transaction client_ip` to group events from a firewall. The resulting transactions show many events with duration=0. What is the most likely cause?

110

Which TWO options can be used with the `transaction` command to control how many events are included in a single transaction?

111

Which THREE statements about the `transaction` command are true?

112

Which TWO options can be used with the `transaction` command to define the beginning and end of a transaction?

113

A large e-commerce company is using Splunk to monitor user sessions across multiple microservices. Each service logs events with a common 'session_id' field. The security team wants to identify sessions where a user performed a 'password_change' action followed by a 'login' from a different IP address within 5 minutes, indicating possible account takeover. The current search uses `transaction session_id startswith=action=login endswith=action=password_change maxspan=10m`. However, the search returns very few results, and the team suspects it is missing many attacks. The logs show that sometimes 'password_change' occurs before 'login' (e.g., password reset then login) and the IP changes are observed across multiple events. The team needs to capture both orderings. Which approach should they take?

114

A network operations team monitors firewall logs using Splunk. They need to group events from the same TCP session, identified by 'src_ip', 'dst_ip', and 'src_port'. The logs contain events for 'session_start', 'data_transfer', and 'session_end' actions. They currently use `transaction src_ip dst_ip src_port startswith=action=session_start endswith=action=session_end`. However, many transactions are incomplete because some sessions do not have a 'session_end' event due to firewall timeouts. The team wants to include these incomplete sessions as well, but still group them around a start event. What should they modify?

115

A financial services company uses Splunk to correlate events from multiple applications. Analysts often use `transaction user_id` to group events, but they notice that this command significantly increases search time and memory usage. After investigating, they find that certain 'user_id' values are extremely frequent (e.g., service accounts) causing huge transactions with thousands of events, which exhaust search memory. The team needs to continue grouping by user_id but must avoid performance issues. They also need to preserve the ability to compute statistics like transaction duration. Which approach best addresses both concerns?

116

A Splunk administrator is tuning a dashboard that uses `transaction` to correlate web server events. The dashboard frequently times out. The admin reviews the search and sees `transaction client_ip maxspan=1h maxpause=30m`. The dataset contains about 10 million events per hour. The admin suspects that the transaction is causing the timeout. Which action should they take to improve performance while still achieving the grouping?

117

A security analyst is investigating a series of failed login attempts followed by successful logins from the same IP addresses within short time windows. They want to correlate these events into sessions representing potential brute-force attacks. Which TWO statements accurately describe best practices for using the transaction command in this scenario?

118

A Splunk administrator at a company with 500 employees needs to correlate VPN login events with subsequent network access logs to track user sessions. The VPN logs contain fields: user, src_ip, timestamp, event_type (login or logout). The network logs contain fields: user, dst_ip, timestamp, action (allow or deny). Both logs are indexed daily. The administrator wants to create a search that groups each VPN login with all network access events from that user within the next 8 hours. However, the current search using `transaction user startswith="login" endswith="logout" maxspan=8h` is returning many incomplete transactions where the logout event is missing. What is the most efficient way to improve the correlation without missing sessions?

119

A financial services company uses Splunk to monitor transactions between internal systems. Each transaction consists of a request event and a response event with identical fields: transaction_id, timestamp, component, status. The request event has component='app' and status='request'; the response event has component='db' and status='success' or 'failure'. The analyst runs the following search to correlate them: `index=main (component=app OR component=db) | transaction transaction_id maxspan=30s`. However, they notice that the search takes too long and often times out when there are many transactions. What change would most effectively reduce search time while still correctly grouping request-response pairs?

120

A large e-commerce site logs all user page views and purchases. Each event contains user_id, session_id, timestamp, and event_type (view or purchase). The marketing team wants to analyze the sequence of views that lead to a purchase. They use `transaction session_id startswith="view" endswith="purchase" maxspan=1h`. However, they find that some transactions are missing purchase events because the purchase occurs after 1 hour, or sometimes multiple purchases occur within the same session. To include all related events and correctly identify the sequence leading to each purchase, what is the best approach?

121

A telecom company monitors call detail records (CDR). Each call has a unique call_id, and events are generated at each network node (setup, ringing, answer, hangup) with timestamps. The events are from different sourcetypes (cdr_setup, cdr_ring, etc.) and are indexed in near real-time. The analyst needs to correlate all events for the same call_id to calculate call duration. The current search is: `index=telecom sourcetype=cdr_* | transaction call_id maxspan=2h`. This search works but sometimes produces huge transactions (100+ events) due to noisy data, causing memory errors. The analyst has identified that each call should have exactly 4 events: setup, ringing, answer, hangup. Which approach would best correlation with minimal resource usage?

122

A security operations center (SOC) uses Splunk to correlate alerts from multiple sources. They have a rule that triggers a transaction when an IDS alert is followed within 5 minutes by a firewall deny event from the same source IP. The search is: `index=security sourcetype=ids OR sourcetype=firewall | transaction src_ip startswith="ids" endswith="firewall" maxspan=5m`. This works well when the deny event occurs after the alert. However, analysts are missing correlations where the firewall deny event occurs slightly before the IDS alert (up to 1 minute before). To capture these out-of-order events without significantly increasing resource usage, what should the analyst do?

123

Refer to the exhibit. A security analyst notices that some transactions have a duration greater than 600 seconds even though maxpause is set to 5 minutes (300 seconds). What is the most likely reason?

124

Which TWO of the following are limitations of the transaction command in Splunk?

125

A large enterprise runs Splunk Enterprise with 500 servers forwarding Windows security logs. The security team wants to correlate failed logins (EventCode 4625) with subsequent successful logins (EventCode 4624) from the same source IP within a 5-minute window. They currently use the following search: index=windows sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | transaction src_ip maxpause=5m | search EventCode=4625 AND EventCode=4624. This search is extremely slow and often times out. Which approach would improve performance while maintaining the same correlation logic?

Practice all 125 Transactions and Event Correlation questions

Other SPLK-1003 exam domains

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and Lookups

Frequently asked questions

What does the Transactions and Event Correlation domain cover on the SPLK-1003 exam?

The Transactions and Event Correlation domain covers the key concepts tested in this area of the SPLK-1003 exam blueprint published by Splunk. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SPLK-1003 domains — no account required.

How many Transactions and Event Correlation questions are in the SPLK-1003 question bank?

The Courseiva SPLK-1003 question bank contains 125 questions in the Transactions and Event Correlation domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Transactions and Event Correlation for SPLK-1003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Transactions and Event Correlation questions for SPLK-1003?

Yes — the session launcher on this page draws questions exclusively from the Transactions and Event Correlation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SPLK-1003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide