SPLK-1003 • Practice Test 5 — 10 Questions
Free SPLK-1003 practice test 5 — 10 questions with explanations. No signup required.
Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?
Refer to the exhibit. ``` index=security sourcetype=linux_secure | eval session_id=if(like(_raw,"Accepted publickey"), _raw, null()) | transaction session_id maxpause=5m | table _time, session_id, duration ```