SPLK-1003 • Practice Test 4 — 10 Questions
Free SPLK-1003 practice test 4 — 10 questions with explanations. No signup required.
Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?
Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
like(_raw,"%Failed password%"),"failed",
like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```