SPLK-1003 Transactions and Event Correlation • Complete Question Bank
Complete SPLK-1003 Transactions and Event Correlation question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ``` index=main sourcetype=access_combined | transaction clientip maxspan=30m maxevents=5 | stats count by clientip ```
Refer to the exhibit. ``` index=security sourcetype=linux_secure | eval session_id=if(like(_raw,"Accepted publickey"), _raw, null()) | transaction session_id maxpause=5m | table _time, session_id, duration ```
Refer to the exhibit. ``` sourcetype=access_combined | transaction clientip maxspan=30m | where mvcount(method) > 3 | stats count by clientip ```
Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
like(_raw,"%Failed password%"),"failed",
like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads:
`index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000`
However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?
A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search:
`index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200`
This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?
Refer to the exhibit. | transaction user maxspan=30m maxevents=5 startswith="login" endswith="logout" | eval duration=tostring(_time_delta,"duration") | stats count by user duration
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Indexes and stores incoming data
Distributes search requests and merges results
Sends data to indexers or other forwarders
Manages configuration of forwarders
Manages license usage across the deployment
Drag a concept onto its matching description — or click a concept then click the description.
Optimizes for speed, may skip event data
Balances speed and completeness (default)
Returns all available fields for each event
Searches data as it is indexed
Searches data already indexed
Refer to the exhibit. ```spl index=web sourcetype=access_combined | transaction sessionid startswith="GET /login" endswith="GET /logout" maxpause=5m ```
Refer to the exhibit. ```spl index=app sourcetype=server_log | eval sessionid=coalesce(sessionid, correlation_id) | transaction sessionid maxspan=10m ```
Refer to the exhibit. ```spl index=security sourcetype=authentication | transaction user startswith="Failed login" endswith="Successful login" maxpause=10m keepevicted=true | search duration>0 ```
Search query: index=main sourcetype=access_combined | transaction clientip maxspan=30m maxpause=5m | stats count by clientip | sort - count | head 10
[mytransaction] fields = clientip, userid maxspan = 1h maxpause = 10m
Search: index=web | transaction sessionid maxspan=10m maxpause=5m | table _time, sessionid, duration, eventcount Result: _time sessionid duration eventcount 2024-01-15 10:00:00 abc123 120 4 2024-01-15 10:15:00 def456 60 2 2024-01-15 10:30:00 ghi789 300 10
index=firewall src_ip=10.0.0.1 | transaction src_ip startswith="action=allow" endswith="action=deny" maxspan=5m | table _time, src_ip, action
| makeresults count=5 | eval _time=_time + (random()%100) | eval session="ses1" | transaction session maxspan=10s | eval duration=last(_time)-first(_time) | stats avg(duration)
index=web sourcetype=access_combined | transaction clientip maxspan=30m maxpause=5m | table clientip, duration, eventcount | where duration > 600