Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Transactions and Event Correlation practice sets

SPLK-1003 Transactions and Event Correlation • Complete Question Bank

SPLK-1003 Transactions and Event Correlation — All Questions With Answers

Complete SPLK-1003 Transactions and Event Correlation question bank — all 0 questions with answers and detailed explanations.

125
Questions
Free
No signup
Certifications/SPLK-1003/Practice Test/Transactions and Event Correlation/All Questions
Question 1mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

Question 2hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

Question 3easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?

Question 4mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

Question 5hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?

Question 6mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO statements about the 'transaction' command are correct? (Choose two.)

Question 7hardmulti select
Read the full Transactions and Event Correlation explanation →

Which THREE conditions must be met for events to be grouped into the same transaction when using the 'transaction' command without any 'startswith' or 'endswith' options? (Choose three.)

Question 8easymultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. A Splunk user runs the search shown. The search returns results, but the user notices that some clientip values appear multiple times in the stats output, even though they should have been grouped into a single transaction. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

```
index=main sourcetype=access_combined
| transaction clientip maxspan=30m maxevents=5
| stats count by clientip
```
Question 9mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=security sourcetype=linux_secure
| eval session_id=if(like(_raw,"Accepted publickey"), _raw, null())
| transaction session_id maxpause=5m
| table _time, session_id, duration
```
Question 10mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst needs to correlate events from a web server log and an application log to identify failed login attempts followed within 5 seconds by an error event. The events share a common session ID field. Which approach should the analyst use?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?

Question 12easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?

Question 13mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk user wants to correlate events from different sourcetypes (web_access, app_log) that belong to the same user session identified by session_id. The events should be grouped only if they occur within 30 minutes of each other, and each transaction should contain at least one event from each sourcetype. Which SPL construct should they use?

Question 14hardmultiple choice
Read the full Transactions and Event Correlation explanation →

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

Question 15mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO statements are true about the `transaction` command in Splunk?

Question 16hardmulti select
Read the full Transactions and Event Correlation explanation →

Which THREE of the following are valid use cases for the `transaction` command in Splunk?

Question 17mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. The search is intended to count the number of clients who made more than 3 HTTP requests within any 30-minute window. However, the results are unexpectedly high. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
sourcetype=access_combined | transaction clientip maxspan=30m | where mvcount(method) > 3 | stats count by clientip
```
Question 18hardmultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

Exhibit

Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
    like(_raw,"%Failed password%"),"failed",
    like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```
Question 19mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A security team needs to correlate failed login attempts across multiple web servers to identify brute force attacks. Each server logs authentication failures with timestamps and source IPs. The team wants to create a transaction that groups failed attempts within 5 minutes from the same IP, but only if there are at least 3 failures. Which approach correctly implements this requirement?

Question 20hardmultiple choice
Read the full VPN explanation →

A Splunk administrator notices that a `transaction` command used for correlating VPN login and logout events is consuming excessive memory and causing search timeouts. The transaction groups events by `user` with `maxspan=12h` and `maxpause=30m`. The VPN logs contain millions of events per day. Which design change would most effectively reduce resource consumption while maintaining the ability to correlate logins and logouts within the same session?

Question 21easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to correlate events from two different sourcetypes: `auth` logs (login events) and `app` logs (application actions). Both logs share a common `session_id` field. The analyst needs to group all events from the same session, regardless of sourcetype, with a maximum time span of 1 hour. Which search correctly uses the `transaction` command?

Question 22mediummulti select
Read the full Transactions and Event Correlation explanation →

A Splunk administrator is troubleshooting a search that uses the `transaction` command. The search is taking too long to complete and returning incomplete results. Which TWO changes are most likely to improve performance and accuracy of transaction searches? (Choose TWO.)

Question 23hardmulti select
Read the full Transactions and Event Correlation explanation →

A security analyst is writing a search to detect lateral movement across servers by correlating authentication events from multiple domain controllers. Each event has a `user`, `src_ip`, and `dest_ip`. The analyst wants to group events where the same user authenticates from at least 3 different source IPs within 10 minutes. Which THREE components must be part of the search to achieve this? (Choose THREE.)

Question 24mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads:

`index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000`

However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?

Question 25hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search:

`index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200`

This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?

Question 26easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security analyst needs to correlate login events with subsequent logout events for the same user session. Which command should be used to group these events together?

Question 27mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO statements correctly describe the behavior of the transaction command in Splunk?

Question 28hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk analyst runs the above search. The results show that some transactions have a duration of 0 seconds. What is the most likely cause?

Exhibit

Refer to the exhibit.

| transaction user maxspan=30m maxevents=5 startswith="login" endswith="logout"
| eval duration=tostring(_time_delta,"duration")
| stats count by user duration
Question 29mediumdrag order
Read the full Transactions and Event Correlation explanation →

Order the steps to set up a data input for monitoring a log file in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full Transactions and Event Correlation explanation →

Order the steps to create a workflow action in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Transactions and Event Correlation explanation →

Match each Splunk component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indexes and stores incoming data

Distributes search requests and merges results

Sends data to indexers or other forwarders

Manages configuration of forwarders

Manages license usage across the deployment

Question 32mediummatching
Read the full Transactions and Event Correlation explanation →

Match each Splunk search mode to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimizes for speed, may skip event data

Balances speed and completeness (default)

Returns all available fields for each event

Searches data as it is indexed

Searches data already indexed

Question 33easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security analyst wants to correlate login events from multiple sources to identify a single user session. The data includes source IP, username, and timestamp. Which Splunk command is most appropriate to group these events into a single transaction based on a common field and a maximum time window?

Question 34mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A team is using the transaction command to group web server access logs into user sessions. They notice some sessions are missing because the transaction command defaults to combining events with identical field values if they occur within a default time window. What is the default maxspan value for the transaction command?

Question 35hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk admin is troubleshooting a transaction that groups firewall allow and deny events by session ID. The transaction should end when a deny event occurs for that session. Which transaction option should be used to define the end condition?

Question 36easymultiple choice
Read the full VPN explanation →

An analyst wants to correlate events from different sourcetypes (e.g., authentication logs and VPN logs) that share a common user field. The goal is to create a single event per user session containing all fields from both sourcetypes. Which command is best suited for this?

Question 37mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A transaction is created using the command: 'index=web status=200 OR status=404 | transaction sessionid'. The user wants to include transactions only if they contain both a 200 and a 404 status. Which additional step achieves this?

Question 38hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk search uses 'transaction' with a large dataset and causes a 'max transaction' error. What is the most likely cause and best practice to avoid it?

Question 39easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to group events that start with a 'login' event and end with a 'logout' event, using the username field. Which transaction syntax is correct?

Question 40mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst is using the transaction command to group events by a field that has high cardinality (millions of unique values). The search is taking too long and consuming too much memory. Which approach should be taken to improve performance?

Question 41hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A transaction that groups events by field 'session_id' sometimes produces transactions that contain events from multiple distinct sessions due to session_id reuse over time. What is the best way to ensure transactions are correctly separated?

Question 42mediummulti select
Read the full Transactions and Event Correlation explanation →

A Splunk search uses 'transaction' to correlate events. The transaction times out before all expected events are added. Which TWO options can be adjusted to allow more time for transaction completion? (Choose two.)

Question 43hardmulti select
Read the full Transactions and Event Correlation explanation →

In a Splunk environment, an analyst is using the transaction command to group events from different sources. Which THREE factors are most important to consider when designing the transaction search for optimal performance? (Choose three.)

Question 44easymulti select
Read the full Transactions and Event Correlation explanation →

Which TWO statements about the 'transaction' command are true? (Choose two.)

Question 45easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security team needs to group login events for the same user within a 5-minute window. Which transaction option should be used to limit the time between consecutive events?

Question 46mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A large transaction command is causing the search to run out of memory. Which approach best reduces memory usage while maintaining the transaction logic?

Question 47hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk administrator is correlating events from two sourcetypes using transaction with startswith and endswith. The transaction rarely matches events even though they exist. What is the most likely cause?

Question 48mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A financial company wants to group all events related to a single trading session. The session ID appears in all events. Which is the most efficient way to correlate these events without using transaction?

Question 49easymultiple choice
Read the full Transactions and Event Correlation explanation →

Which transaction option should be used to ensure that a transaction does not exceed a total duration of 10 minutes?

Question 50hardmultiple choice
Read the full Transactions and Event Correlation explanation →

An administrator runs a transaction command that groups events by a customer ID but notices that some transactions are missing expected events. The log shows that the events are present and within the maxpause. What could be the reason?

Question 51mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Which command is best for calculating a running total of sales per customer across events without creating a multivalued field?

Question 52easymultiple choice
Read the full Transactions and Event Correlation explanation →

A search uses transaction to group login and logout events. What happens if a user has multiple logins before logging out?

Question 53mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A company wants to correlate events from multiple sources that share a common transaction ID. The events arrive in real time but with variable delays. Which transaction option ensures that a transaction closes after 2 minutes of inactivity?

Question 54mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO of the following are valid ways to correlate events without using the transaction command?

Question 55hardmulti select
Read the full Transactions and Event Correlation explanation →

Which TWO of the following are valid reasons to use transaction instead of stats for event correlation?

Question 56mediummulti select
Read the full Transactions and Event Correlation explanation →

Which THREE of the following are correct about the transaction command's default behavior?

Question 57easymultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. The search returns no transactions even though there are login and logout events in the index. What is the most likely cause?

Exhibit

Refer to the exhibit.
```spl
index=web sourcetype=access_combined | transaction sessionid startswith="GET /login" endswith="GET /logout" maxpause=5m
```
Question 58mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. The eval command combines two fields into one. What is a potential issue with this search?

Exhibit

Refer to the exhibit.
```spl
index=app sourcetype=server_log 
| eval sessionid=coalesce(sessionid, correlation_id) 
| transaction sessionid maxspan=10m
```
Question 59hardmultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. The search returns only transactions that ended with successful login. The administrator wants to see all failed login attempts that did not lead to a success. What is the most efficient approach?

Exhibit

Refer to the exhibit.
```spl
index=security sourcetype=authentication 
| transaction user startswith="Failed login" endswith="Successful login" maxpause=10m keepevicted=true
| search duration>0
```
Question 60easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security analyst wants to group all events from a single web session into one transaction. The session is identified by a 'sessionId' field, and events are generated over a period that can last up to 30 minutes. The analyst also wants to close the transaction if there is no activity for more than 10 minutes. Which transaction parameters should be used?

Question 61mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst needs to correlate events from two different data sources (web logs and database logs) based on a common session ID. The events occur within a short time window of 5 seconds. Which command is most appropriate?

Question 62hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A search using the transaction command is producing many partial transactions that are closed due to maxpause, but these transactions are often relevant and should not be discarded. Which option should be added to the transaction command to keep these partial results?

Question 63easymultiple choice
Read the full Transactions and Event Correlation explanation →

When using the transaction command to group events, which field is automatically added to the event to indicate the start time of the transaction?

Question 64easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk Power User needs to find the average duration of user sessions. The sessions are defined by a 'user_id' field and have a max inactivity of 15 minutes. Which search correctly calculates this?

Question 65hardmultiple choice
Read the full Transactions and Event Correlation explanation →

Consider the following search: 'index=web | transaction sessionid maxspan=30m | where eventcount > 5 | stats avg(duration)'. An analyst notices that the search takes a long time and uses excessive memory. Which change would most likely improve performance?

Question 66easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk search uses 'transaction clientip maxpause=5m'. What does the maxpause setting control?

Question 67mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to group events from different sourcetypes (web_access and error_log) into a single transaction when they share the same 'request_id' field and occur within 1 minute. Which search correctly accomplishes this?

Question 68hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A search includes 'transaction userid maxspan=1h maxopentxn=1000'. What is the purpose of maxopentxn?

Question 69mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO fields are automatically created by the transaction command? (Select exactly 2 correct answers.)

Question 70hardmulti select
Read the full Transactions and Event Correlation explanation →

Which THREE of the following are valid ways to correlate events in Splunk? (Select exactly 3 correct answers.)

Question 71mediummulti select
Read the full Transactions and Event Correlation explanation →

Which THREE strategies can help reduce memory usage when using the transaction command? (Select exactly 3 correct answers.)

Question 72easymultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. What is the purpose of the 'maxpause=5m' parameter in this search?

Exhibit

Search query: index=main sourcetype=access_combined | transaction clientip maxspan=30m maxpause=5m | stats count by clientip | sort - count | head 10
Question 73mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. What is the purpose of this configuration?

Exhibit

[mytransaction]
fields = clientip, userid
maxspan = 1h
maxpause = 10m
Question 74hardmultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. An analyst sees that the transaction for sessionid 'abc123' has duration 120 seconds and 4 events. The events within this transaction occur at 10:00:00, 10:01:00, 10:02:00, and 10:03:00. Why did the transaction close?

Exhibit

Search: index=web | transaction sessionid maxspan=10m maxpause=5m | table _time, sessionid, duration, eventcount
Result:
_time                sessionid   duration  eventcount
2024-01-15 10:00:00  abc123      120        4
2024-01-15 10:15:00  def456      60         2
2024-01-15 10:30:00  ghi789      300        10
Question 75easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security analyst wants to group all authentication events (e.g., login, logout, failure) that occur within a 10-minute window for each user. The events are from multiple sources and share a common 'user' field. Which transaction command is most appropriate?

Question 76mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst uses transaction to group web requests by session_id. Some transactions are unexpectedly large, containing hundreds of events. What parameter should be adjusted to limit the number of events per transaction?

Question 77hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk admin notices that a transaction search using the transaction command takes a long time and consumes high memory. The search correlates events by a high-cardinality field (IP address) across multiple indexers. Which optimization technique should be applied first?

Question 78easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to ensure that a transaction is only considered complete when it contains a specific end event. Which transaction parameter should be used?

Question 79mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to correlate events from multiple sourcetypes that have different timestamps but share a common reference ID. The events are ingested with some delay. Which parameter is crucial to ensure the transaction captures all related events despite ingestion delay?

Question 80easymultiple choice
Read the full Transactions and Event Correlation explanation →

A transaction search is processing too many fields. Which command should be used immediately before the transaction command to reduce memory usage?

Question 81mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to find transactions where the first event was a 'login' and the last event was a 'logout'. Which post-transaction filter is correct?

Question 82hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A transaction search that uses a large maxspan and high-cardinality fields is failing due to memory limitations. Which approach can best reduce memory usage without changing the transaction logic?

Question 83easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst wants to group events by 'session_id' but only if the events occur within 5 minutes of each other, and there must be at least 2 events per transaction. Which transaction parameters achieve this?

Question 84easymulti select
Read the full Transactions and Event Correlation explanation →

Which two statements about the transaction command are correct? (Choose two.)

Question 85mediummulti select
Read the full Transactions and Event Correlation explanation →

Which three conditions can cause a transaction to close prematurely? (Choose three.)

Question 86hardmulti select
Read the full Transactions and Event Correlation explanation →

Which two techniques should be used to optimize a transaction search that is slow due to a high volume of events? (Choose two.)

Question 87easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk admin wants to group events from the same user session in web logs. Which transaction option should be used to ensure the transaction ends after 30 minutes of inactivity?

Question 88mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst runs the following search to correlate login and logout events: `index=auth | transaction user startswith="LOGIN" endswith="LOGOUT"`. However, some transactions span over 24 hours. Which option should be added to limit each transaction to a maximum of 8 hours?

Question 89hardmultiple choice
Read the full NAT/PAT explanation →

A security team notices that using `transaction` on a large dataset of firewall logs causes memory issues. Which alternative approach would most efficiently correlate events while reducing resource consumption?

Question 90easymultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk admin wants to group events that share a common `session_id` field. Events arrive out of order. Which transaction field will automatically sort events correctly?

Question 91mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A search includes `... | transaction 1,2,3` but returns unexpected results. What does the `1,2,3` represent in this context?

Question 92hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A company uses `transaction` to group events by `order_id`. Some orders have many events (1000+). Which option should be added to prevent a single transaction from consuming too many resources?

Question 93easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst runs `sourcetype=access_combined | transaction clientip` and notices many single-event transactions. Which option would help close transactions more accurately?

Question 94mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A search uses `transaction` with wildcard fields (e.g., `*id`), causing poor performance. What is the best practice to optimize this?

Question 95hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A team wants to correlate events from different sourcetypes (web, db) on a common `sessionid`. They use `transaction sessionid` across both sourcetypes. The results show that some transactions are missing events. What is the most likely cause?

Question 96mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO options are valid parameters of the `transaction` command?

Question 97hardmulti select
Read the full Transactions and Event Correlation explanation →

Which TWO conditions can cause a transaction to be evicted?

Question 98easymulti select
Read the full Transactions and Event Correlation explanation →

Which THREE statements about the `transaction` command are true?

Question 99mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. A security analyst runs the above search. Which of the following best describes the result?

Exhibit

index=firewall src_ip=10.0.0.1 | transaction src_ip startswith="action=allow" endswith="action=deny" maxspan=5m | table _time, src_ip, action
Question 100hardmultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. An analyst runs the above search to test transaction behavior. What is the likely result?

Exhibit

| makeresults count=5
| eval _time=_time + (random()%100)
| eval session="ses1"
| transaction session maxspan=10s
| eval duration=last(_time)-first(_time)
| stats avg(duration)
Question 101hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A large e-commerce company uses Splunk to analyze customer purchase funnels. Their environment includes 10 indexers and a search head cluster. They have a search that runs every 5 minutes to correlate events from web logs, order logs, and payment logs using the `transaction` command on a common `order_id` field. The search uses `transaction order_id maxevents=50 maxspan=30m`. Recently, users have reported that some orders are missing from the results, especially for high-volume periods. The team also notices that dashboard searches often timeout. They suspect the transaction command is the bottleneck. Upon examining the search, they see that the web logs alone generate hundreds of events per order. Which course of action would best address the missing orders and performance issues?

Question 102easymultiple choice
Read the full Transactions and Event Correlation explanation →

A security team needs to group all login events from the same user session. Events include 'login' and 'logout' with a common session_id field. Which command should be used to combine these events into a single event per session?

Question 103easymultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst runs `transaction user_id` to correlate events from a web server. The resulting transaction events have a field 'duration' that shows the time between the first and last event. However, some transactions span over 30 minutes. What transaction option should be added to limit the maximum time between the first and last event?

Question 104mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A SOC analyst is investigating a security incident. They use `transaction src_ip` to group firewall events. The search returns too many single-event transactions. The analyst suspects that some events should be grouped but are not because the IP address is used by different sessions. Which option can help ensure events are grouped only if they occur close in time?

Question 105mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A search uses `transaction sessionId` to correlate events. However, the transaction command is consuming too much memory and the search fails. Which approach can reduce memory usage while still approximating the transaction grouping?

Question 106hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A company has events from multiple data sources that share a common 'request_id'. They want to correlate events from different sources (e.g., web, app, database) into a single transaction per request. However, the timestamps across sources are not synchronized, causing some events to appear out of order. Which approach is best to ensure correct grouping?

Question 107easymultiple choice
Read the full Transactions and Event Correlation explanation →

A user wants to see a single consolidated event for each user session that includes the start time, end time, and total duration. The session events have a 'action' field with values 'start' and 'end' and a common 'user_id'. Which transaction command would achieve this?

Question 108hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A search uses `transaction session_id maxspan=30m` to group events. The search returns 5000 transaction events. The analyst needs to filter out any transaction that does not contain an event with status=failure. Which post-transaction command should be used?

Question 109mediummultiple choice
Read the full Transactions and Event Correlation explanation →

An analyst writes `transaction client_ip` to group events from a firewall. The resulting transactions show many events with duration=0. What is the most likely cause?

Question 110mediummulti select
Read the full Transactions and Event Correlation explanation →

Which TWO options can be used with the `transaction` command to control how many events are included in a single transaction?

Question 111hardmulti select
Read the full Transactions and Event Correlation explanation →

Which THREE statements about the `transaction` command are true?

Question 112easymulti select
Read the full Transactions and Event Correlation explanation →

Which TWO options can be used with the `transaction` command to define the beginning and end of a transaction?

Question 113hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A large e-commerce company is using Splunk to monitor user sessions across multiple microservices. Each service logs events with a common 'session_id' field. The security team wants to identify sessions where a user performed a 'password_change' action followed by a 'login' from a different IP address within 5 minutes, indicating possible account takeover. The current search uses `transaction session_id startswith=action=login endswith=action=password_change maxspan=10m`. However, the search returns very few results, and the team suspects it is missing many attacks. The logs show that sometimes 'password_change' occurs before 'login' (e.g., password reset then login) and the IP changes are observed across multiple events. The team needs to capture both orderings. Which approach should they take?

Question 114mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A network operations team monitors firewall logs using Splunk. They need to group events from the same TCP session, identified by 'src_ip', 'dst_ip', and 'src_port'. The logs contain events for 'session_start', 'data_transfer', and 'session_end' actions. They currently use `transaction src_ip dst_ip src_port startswith=action=session_start endswith=action=session_end`. However, many transactions are incomplete because some sessions do not have a 'session_end' event due to firewall timeouts. The team wants to include these incomplete sessions as well, but still group them around a start event. What should they modify?

Question 115hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A financial services company uses Splunk to correlate events from multiple applications. Analysts often use `transaction user_id` to group events, but they notice that this command significantly increases search time and memory usage. After investigating, they find that certain 'user_id' values are extremely frequent (e.g., service accounts) causing huge transactions with thousands of events, which exhaust search memory. The team needs to continue grouping by user_id but must avoid performance issues. They also need to preserve the ability to compute statistics like transaction duration. Which approach best addresses both concerns?

Question 116mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A Splunk administrator is tuning a dashboard that uses `transaction` to correlate web server events. The dashboard frequently times out. The admin reviews the search and sees `transaction client_ip maxspan=1h maxpause=30m`. The dataset contains about 10 million events per hour. The admin suspects that the transaction is causing the timeout. Which action should they take to improve performance while still achieving the grouping?

Question 117mediummulti select
Read the full Transactions and Event Correlation explanation →

A security analyst is investigating a series of failed login attempts followed by successful logins from the same IP addresses within short time windows. They want to correlate these events into sessions representing potential brute-force attacks. Which TWO statements accurately describe best practices for using the transaction command in this scenario?

Question 118easymultiple choice
Read the full VPN explanation →

A Splunk administrator at a company with 500 employees needs to correlate VPN login events with subsequent network access logs to track user sessions. The VPN logs contain fields: user, src_ip, timestamp, event_type (login or logout). The network logs contain fields: user, dst_ip, timestamp, action (allow or deny). Both logs are indexed daily. The administrator wants to create a search that groups each VPN login with all network access events from that user within the next 8 hours. However, the current search using `transaction user startswith="login" endswith="logout" maxspan=8h` is returning many incomplete transactions where the logout event is missing. What is the most efficient way to improve the correlation without missing sessions?

Question 119easymultiple choice
Read the full Transactions and Event Correlation explanation →

A financial services company uses Splunk to monitor transactions between internal systems. Each transaction consists of a request event and a response event with identical fields: transaction_id, timestamp, component, status. The request event has component='app' and status='request'; the response event has component='db' and status='success' or 'failure'. The analyst runs the following search to correlate them: `index=main (component=app OR component=db) | transaction transaction_id maxspan=30s`. However, they notice that the search takes too long and often times out when there are many transactions. What change would most effectively reduce search time while still correctly grouping request-response pairs?

Question 120mediummultiple choice
Read the full Transactions and Event Correlation explanation →

A large e-commerce site logs all user page views and purchases. Each event contains user_id, session_id, timestamp, and event_type (view or purchase). The marketing team wants to analyze the sequence of views that lead to a purchase. They use `transaction session_id startswith="view" endswith="purchase" maxspan=1h`. However, they find that some transactions are missing purchase events because the purchase occurs after 1 hour, or sometimes multiple purchases occur within the same session. To include all related events and correctly identify the sequence leading to each purchase, what is the best approach?

Question 121hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A telecom company monitors call detail records (CDR). Each call has a unique call_id, and events are generated at each network node (setup, ringing, answer, hangup) with timestamps. The events are from different sourcetypes (cdr_setup, cdr_ring, etc.) and are indexed in near real-time. The analyst needs to correlate all events for the same call_id to calculate call duration. The current search is: `index=telecom sourcetype=cdr_* | transaction call_id maxspan=2h`. This search works but sometimes produces huge transactions (100+ events) due to noisy data, causing memory errors. The analyst has identified that each call should have exactly 4 events: setup, ringing, answer, hangup. Which approach would best correlation with minimal resource usage?

Question 122hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A security operations center (SOC) uses Splunk to correlate alerts from multiple sources. They have a rule that triggers a transaction when an IDS alert is followed within 5 minutes by a firewall deny event from the same source IP. The search is: `index=security sourcetype=ids OR sourcetype=firewall | transaction src_ip startswith="ids" endswith="firewall" maxspan=5m`. This works well when the deny event occurs after the alert. However, analysts are missing correlations where the firewall deny event occurs slightly before the IDS alert (up to 1 minute before). To capture these out-of-order events without significantly increasing resource usage, what should the analyst do?

Question 123mediummultiple choice
Read the full Transactions and Event Correlation explanation →

Refer to the exhibit. A security analyst notices that some transactions have a duration greater than 600 seconds even though maxpause is set to 5 minutes (300 seconds). What is the most likely reason?

Exhibit

index=web sourcetype=access_combined | transaction clientip maxspan=30m maxpause=5m | table clientip, duration, eventcount | where duration > 600
Question 124easymulti select
Read the full Transactions and Event Correlation explanation →

Which TWO of the following are limitations of the transaction command in Splunk?

Question 125hardmultiple choice
Read the full Transactions and Event Correlation explanation →

A large enterprise runs Splunk Enterprise with 500 servers forwarding Windows security logs. The security team wants to correlate failed logins (EventCode 4625) with subsequent successful logins (EventCode 4624) from the same source IP within a 5-minute window. They currently use the following search: index=windows sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | transaction src_ip maxpause=5m | search EventCode=4625 AND EventCode=4624. This search is extremely slow and often times out. Which approach would improve performance while maintaining the same correlation logic?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SPLK-1003 Practice Test 1 — 10 Questions→SPLK-1003 Practice Test 2 — 10 Questions→SPLK-1003 Practice Test 3 — 10 Questions→SPLK-1003 Practice Test 4 — 10 Questions→SPLK-1003 Practice Test 5 — 10 Questions→SPLK-1003 Practice Exam 1 — 20 Questions→SPLK-1003 Practice Exam 2 — 20 Questions→SPLK-1003 Practice Exam 3 — 20 Questions→SPLK-1003 Practice Exam 4 — 20 Questions→Free SPLK-1003 Practice Test 1 — 30 Questions→Free SPLK-1003 Practice Test 2 — 30 Questions→Free SPLK-1003 Practice Test 3 — 30 Questions→SPLK-1003 Practice Questions 1 — 50 Questions→SPLK-1003 Practice Questions 2 — 50 Questions→SPLK-1003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Advanced Searching and StatisticsMacros, Saved Searches and CIMAdvanced Visualization and LookupsTransactions and Event Correlation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Transactions and Event Correlation setsAll Transactions and Event Correlation questionsSPLK-1003 Practice Hub