SPLK-1003 • Timed Practice Test 4
This is a timed practice session. You have 10 minutes to answer 10 questions — approximately 1 minute per question, matching real SPLK-1003 exam pace. Answer every question before time expires.
Time remaining
10:00
Exam-pace drill
Allow 1 minute per question. On the real SPLK-1003 exam you have approximately 72 seconds per question — this session trains you to maintain that pace under pressure.
Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?
Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
like(_raw,"%Failed password%"),"failed",
like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```