CCNA Transactions and Event Correlation Questions

50 of 125 questions · Page 2/2 · Transactions and Event Correlation · Answers revealed

76
MCQmedium

A transaction is created using the command: 'index=web status=200 OR status=404 | transaction sessionid'. The user wants to include transactions only if they contain both a 200 and a 404 status. Which additional step achieves this?

A.| transaction sessionid keepevicted=true | where mvcount(status)>=2
B.| where mvcount(mvdedup(status))>=2
C.| search status="200" OR status="404"
D.| where mvcount(status)==2
AnswerB

Correct: Counts distinct status values.

Why this answer

Option A is correct because 'mvcount(mvdedup(status))>=2' counts distinct status values; if both are present, it returns >=2. Option B (OR) includes sessions with either status, Option C (keepevicted) is not needed, and Option D counts total occurrences, not distinct.

77
MCQmedium

Refer to the exhibit. A security analyst runs the above search. Which of the following best describes the result?

A.Transactions for all source IPs, but only showing src_ip 10.0.0.1 in the table
B.Transactions of all firewall events for src_ip 10.0.0.1, each lasting up to 5 minutes
C.Transactions of src_ip 10.0.0.1 that start with deny and end with allow
D.Transactions beginning with 'allow' and ending with 'deny' for src_ip 10.0.0.1, with a maximum duration of 5 minutes
AnswerD

Correct interpretation of the transaction parameters.

Why this answer

Option C is correct because the transaction groups events by src_ip, starts with 'allow' and ends with 'deny', and limits to 5-minute windows. Events within that window that fit the pattern will form transactions. Option A is incorrect because it says 'all events' but the start/end conditions filter.

Option B is incorrect because it reverses start/end. Option D is incorrect because maxspan is 5 minutes, not 1 hour.

78
MCQhard

A search using the transaction command is producing many partial transactions that are closed due to maxpause, but these transactions are often relevant and should not be discarded. Which option should be added to the transaction command to keep these partial results?

A.keepopen=true
B.keepevicted=true
C.closed=true
D.partial=true
AnswerC

Correct: closed=true is not a valid option; the correct option is keepevicted=true. (Distractor)

Why this answer

The keepevicted=true option retains transactions that are closed because of maxpause or maxspan, ensuring they are included in results.

79
MCQeasy

Which transaction option should be used to ensure that a transaction does not exceed a total duration of 10 minutes?

A.endswith="end"
B.maxpause=10m
C.startswith="start"
D.maxspan=10m
AnswerD

maxspan limits the total time span from first to last event.

Why this answer

Option A is correct because maxspan sets the maximum total duration of a transaction. Option B (maxpause) limits gaps between events. Option C (startswith) sets the start event.

Option D (endswith) sets the end event.

80
MCQeasy

A transaction search is processing too many fields. Which command should be used immediately before the transaction command to reduce memory usage?

A.fields - _raw, _time
B.fields + user_id, _time
C.fields - * except user_id
D.fields user_id, _time
AnswerD

Correct: this keeps only the necessary fields.

Why this answer

Option C is correct because 'fields user_id, _time' keeps only the essential fields. Option A is incorrect because it removes _raw and _time, but keeps other fields. Option B is incorrect because 'fields - * except user_id' removes _time.

Option D is incorrect because 'fields +' appends, not replaces.

81
MCQhard

Refer to the exhibit. The search returns only transactions that ended with successful login. The administrator wants to see all failed login attempts that did not lead to a success. What is the most efficient approach?

A.Replace the search with | where closed_txn=0.
B.Increase maxpause to 30m.
C.Remove the final search command and instead filter on closed_txn=0.
D.Remove the keepevicted=true option.
AnswerC

With keepevicted=true, evicted (unclosed) transactions have closed_txn=0; filtering on that shows all failed login attempts.

Why this answer

Option D is correct because the search filters out evicted transactions with duration>0; removing that search and using duration<0 or adding a filter for evicted events would show failures. Option A is false because removing keepevicted would drop evicted transactions. Option B is false because adding maxspan may still evict.

Option C is false because it would include all transactions but still filter out evicted ones.

82
MCQhard

A search uses `transaction session_id maxspan=30m` to group events. The search returns 5000 transaction events. The analyst needs to filter out any transaction that does not contain an event with status=failure. Which post-transaction command should be used?

A.`| transaction session_id maxspan=30m | stats count(eval(status="failure")) by session_id`
B.`| transaction session_id maxspan=30m | search status=failure`
C.`| transaction session_id maxspan=30m | where status=failure`
D.`| transaction session_id maxspan=30m | eval has_failure=if(match(_raw, "failure"),1,0) | where has_failure=1`
AnswerB

Yes, because after transaction, the resulting events have fields from all constituent events; if any constituent had status=failure, the transaction event will have that field. The search filters for transactions that contain at least one such event.

Why this answer

After transaction, you can use `where` with a subsearch or use `search` to filter based on fields within the transaction. Specifically, `search` can be used after transaction to filter events that contain a certain field-value pair.

83
Multi-Selecthard

Which two techniques should be used to optimize a transaction search that is slow due to a high volume of events? (Choose two.)

Select 2 answers
A.Use the 'fields' command to limit fields before transaction.
B.Use the 'keepevicted' option to free memory.
C.Use the 'stats' command with values() and range() instead of transaction if possible.
D.Use the 'local' parameter to process on a single indexer.
E.Increase the maxspan value to reduce the number of transactions.
AnswersA, C

Correct: reduces memory per event.

Why this answer

Options A and D are correct. Using fields before transaction reduces memory and processing. Using stats instead of transaction can be more efficient for some correlations.

Option B (local) reduces parallelism. Option C (increasing maxspan) typically increases resource usage. Option E (keepevicted) does not optimize performance.

84
MCQhard

A transaction that groups events by field 'session_id' sometimes produces transactions that contain events from multiple distinct sessions due to session_id reuse over time. What is the best way to ensure transactions are correctly separated?

A.Use 'transaction session_id maxevents=1' to stop after one event.
B.Use 'transaction session_id mvlist=_raw' to include raw data.
C.Use 'transaction session_id maxspan=30m' to limit the time window.
D.Use 'transaction session_id startswith="new_session" endswith="end_session"'.
AnswerC

Correct: Time window separates reused IDs.

Why this answer

Option A is correct. Adding a maxspan limits the time window, preventing events from reused session IDs that are widely separated in time from merging. Options B, C, and D do not address the reuse issue effectively.

85
MCQmedium

A security team needs to correlate failed login attempts across multiple web servers to identify brute force attacks. Each server logs authentication failures with timestamps and source IPs. The team wants to create a transaction that groups failed attempts within 5 minutes from the same IP, but only if there are at least 3 failures. Which approach correctly implements this requirement?

A.index=web sourcetype=access_combined status=401 | search clientip=* | head 3
B.index=web sourcetype=access_combined status=401 | transaction clientip maxspan=5m maxevents=3
C.index=web sourcetype=access_combined status=401 | stats count by clientip, _time
D.index=web sourcetype=access_combined status=401 | transaction clientip maxspan=5m
AnswerB

This groups by clientip, within 5 minutes, and requires at least 3 events (maxevents=3 means at least 3).

Why this answer

Option B is correct because the `transaction` command groups events by `clientip` with a `maxspan=5m` window, and `maxevents=3` ensures only transactions with at least 3 events are retained. This directly meets the requirement to correlate failed login attempts (status=401) from the same source IP within 5 minutes, identifying brute force attacks.

Exam trap

The trap here is that candidates often forget to include `maxevents=3` to enforce the minimum event threshold, assuming `maxspan=5m` alone is sufficient, or they mistakenly use `head` or `stats` which do not perform time-based grouping.

How to eliminate wrong answers

Option A is wrong because `head 3` limits the output to the first 3 events found, not grouping events by IP or time; it also uses an unnecessary `search clientip=*` which is redundant. Option C is wrong because `stats count by clientip, _time` aggregates events by exact timestamp, not within a 5-minute window, and does not enforce a minimum count of 3 per IP. Option D is wrong because it lacks `maxevents=3`, so it would include transactions with fewer than 3 failures, failing the 'at least 3 failures' requirement.

86
MCQhard

A search includes 'transaction userid maxspan=1h maxopentxn=1000'. What is the purpose of maxopentxn?

A.It limits the total number of transactions in the search results.
B.It limits the number of transactions that can be open simultaneously in memory.
C.It limits the number of events per transaction.
D.It limits the time span of open transactions.
AnswerA

Correct: maxopentxn limits the number of concurrently open transactions, indirectly controlling memory use.

Why this answer

maxopentxn limits the number of transactions kept in memory at a time. When the limit is reached, the oldest open transaction is closed and removed from memory.

87
MCQhard

An administrator runs a transaction command that groups events by a customer ID but notices that some transactions are missing expected events. The log shows that the events are present and within the maxpause. What could be the reason?

A.Events are from different hosts or sources.
B.The startswith and endswith are conflicting.
C.The fields option is missing.
D.The maxpause value is too short.
AnswerA

By default, transaction groups by host, source, and sourcetype; events from different hosts are not grouped.

Why this answer

Option C is correct because by default transaction groups events by host and source as well. If events for the same customer ID come from different hosts, they are not grouped. Option A is false because maxpause is fine.

Option B is irrelevant. Option D is a best practice not a cause.

88
MCQeasy

A Splunk Power User needs to find the average duration of user sessions. The sessions are defined by a 'user_id' field and have a max inactivity of 15 minutes. Which search correctly calculates this?

A.index=main | transaction user_id maxpause=15m | stats avg(duration)
B.index=main | transaction user_id maxpause=15m | eval avg=avg(duration)
C.index=main | transaction user_id maxpause=15 | stats avg(_time)
D.index=main | transaction user_id maxspan=15m | stats avg(duration)
AnswerA

Correct: transaction adds duration, stats averages it.

Why this answer

The transaction command with maxpause=15m groups events by user_id and adds a duration field. The stats command then calculates the average duration.

89
MCQeasy

A security analyst wants to group all authentication events (e.g., login, logout, failure) that occur within a 10-minute window for each user. The events are from multiple sources and share a common 'user' field. Which transaction command is most appropriate?

A.... | transaction user maxspan=600 maxevents=100
B.... | transaction user maxpause=120
C.... | transaction user maxspan=600 startswith="login" endswith="logout"
D.... | transaction user maxspan=600
AnswerD

Correct: maxspan sets a 10-minute window.

Why this answer

Option A is correct because maxspan=600 seconds (10 minutes) bounds the transaction time window. Option B is incorrect because maxevents=100 may truncate transactions with more events. Option C is incorrect because startswith and endswith are not required and may exclude valid transactions.

Option D is incorrect because using only maxpause could allow transactions to exceed 10 minutes if events continue.

90
MCQmedium

An analyst needs to correlate events from two different data sources (web logs and database logs) based on a common session ID. The events occur within a short time window of 5 seconds. Which command is most appropriate?

A.transaction sessionid
B.transaction sessionid maxspan=5s
C.join type=inner sessionid [search index=db]
D.append [search index=db]
AnswerA

Transaction groups events by sessionid; adding maxspan=5s would limit total time, but default works if events are close.

Why this answer

The transaction command is designed to group events that share a common field, regardless of source, and can be constrained with maxspan. Option A is the most direct and efficient method.

91
Multi-Selecteasy

Which two statements about the transaction command are correct? (Choose two.)

Select 2 answers
A.The transaction command automatically adds an 'eventcount' field.
B.The transaction command requires a startswith or endswith parameter.
C.The transaction command can only correlate events within the same sourcetype.
D.The transaction command automatically adds a 'duration' field.
E.The transaction command can be used with events from different indexes.
AnswersA, D

Correct: eventcount is automatically added.

Why this answer

Options A and D are correct. The transaction command automatically adds duration and eventcount fields. Option B is false because startswith/endswith are optional.

Option C is false because transaction can correlate events from different sourcetypes. Option E is false because transaction can work across indexes.

92
MCQhard

A large e-commerce company is using Splunk to monitor user sessions across multiple microservices. Each service logs events with a common 'session_id' field. The security team wants to identify sessions where a user performed a 'password_change' action followed by a 'login' from a different IP address within 5 minutes, indicating possible account takeover. The current search uses `transaction session_id startswith=action=login endswith=action=password_change maxspan=10m`. However, the search returns very few results, and the team suspects it is missing many attacks. The logs show that sometimes 'password_change' occurs before 'login' (e.g., password reset then login) and the IP changes are observed across multiple events. The team needs to capture both orderings. Which approach should they take?

A.Use `transaction session_id maxspan=5m` and then filter for sessions that contain both actions
B.Use `transaction session_id startswith=action=password_change endswith=action=login maxspan=5m` in a separate search and append results
C.Keep the current search but increase maxspan to 30m
D.Add both startswith and endswith with OR conditions: `startswith=(action=login OR action=password_change) endswith=(action=login OR action=password_change)`
AnswerA

This captures any order within 5 minutes, then filter for both actions.

Why this answer

The current search only captures one order (login then password_change). To capture both orders, they should either use `transaction session_id maxspan=5m` without startswith/endswith and then filter, or use two separate transactions and combine. The best option is to use `transaction session_id maxspan=5m` and then search for events where both actions occur, because it avoids order dependency and is simpler.

93
MCQhard

Refer to the exhibit. An analyst sees that the transaction for sessionid 'abc123' has duration 120 seconds and 4 events. The events within this transaction occur at 10:00:00, 10:01:00, 10:02:00, and 10:03:00. Why did the transaction close?

A.The transaction closed because there were only 4 events.
B.The maxpause of 5 minutes was exceeded; there was no event after 10:03:00 for more than 5 minutes.
C.The transaction closed because the maxopentxn limit was reached.
D.The maxspan of 10 minutes was reached.
AnswerB

Correct: maxpause timeout caused closure.

Why this answer

Since maxpause=5m is specified, the transaction closed 5 minutes after the last event (10:03:00) at approximately 10:08:00, but because maxspan is 10m, the 2-minute duration is well under that. The close was due to the inactivity timeout.

94
MCQeasy

A security analyst wants to correlate login events from multiple sources to identify a single user session. The data includes source IP, username, and timestamp. Which Splunk command is most appropriate to group these events into a single transaction based on a common field and a maximum time window?

A.eventstats max(_time) by username
B.transaction username maxspan=30m
C.timechart count by username
D.stats values(username) by sourceip
AnswerB

Correct: Groups events by username with time limit.

Why this answer

Option A is correct because 'transaction username maxspan=30m' groups events by the username field within a 30-minute timespan. Option B (stats) does not group events into transactions, Option C (eventstats) adds a field but does not group, and Option D (timechart) creates a time series.

95
MCQhard

A security operations center (SOC) uses Splunk to correlate alerts from multiple sources. They have a rule that triggers a transaction when an IDS alert is followed within 5 minutes by a firewall deny event from the same source IP. The search is: `index=security sourcetype=ids OR sourcetype=firewall | transaction src_ip startswith="ids" endswith="firewall" maxspan=5m`. This works well when the deny event occurs after the alert. However, analysts are missing correlations where the firewall deny event occurs slightly before the IDS alert (up to 1 minute before). To capture these out-of-order events without significantly increasing resource usage, what should the analyst do?

A.Use `reverse` before transaction to process events in reverse time order.
B.Increase maxspan to 6 minutes and add `maxevents=2`.
C.Use `sort` with time dimension and then use `eventstats` to mark pairs.
D.Use `transaction src_ip maxspan=6m` without startswith/endswith and then filter for events with both sourcetypes.
AnswerB

Correct: A larger maxspan (6m) covers the 1-minute out-of-order scenario, and maxevents=2 prevents grouping extra events.

Why this answer

Option A is correct because increasing maxspan to 6 minutes (5m + 1m buffer) and adding maxevents=2 ensures the transaction captures the pair even if the deny event comes up to 1 minute early, while limiting to exactly two events prevents large groupings. Option B (no startswith/endswith) would merge all events from the same src_ip within 6 minutes, potentially including unrelated events. Option C (reverse) does not help because transaction already sorts by time.

Option D (eventstats) does not create a transaction.

96
MCQeasy

A Splunk administrator at a company with 500 employees needs to correlate VPN login events with subsequent network access logs to track user sessions. The VPN logs contain fields: user, src_ip, timestamp, event_type (login or logout). The network logs contain fields: user, dst_ip, timestamp, action (allow or deny). Both logs are indexed daily. The administrator wants to create a search that groups each VPN login with all network access events from that user within the next 8 hours. However, the current search using `transaction user startswith="login" endswith="logout" maxspan=8h` is returning many incomplete transactions where the logout event is missing. What is the most efficient way to improve the correlation without missing sessions?

A.Use a different approach: `... | stats values(*) as * by user, time_bucket | ...` with bucket times.
B.Change to `transaction user maxspan=8h` and remove startswith/endswith.
C.Use `transaction user startswith="login" endswith="logout" maxspan=8h keepevicted=true`.
D.Use `transaction user maxspan=8h maxevents=100` and filter manually.
AnswerC

Correct: keepevicted=true outputs incomplete transactions, including those missing logout.

Why this answer

Option B is correct because adding keepevicted=true will output incomplete transactions (those missing the logout event) as evicted transactions, allowing the analyst to see all sessions, including those where the logout was not recorded. Option A (maxevents=100) may still miss sessions if they don't have a logout. Option C (stats with bucket) does not properly group events into sessions.

Option D (removing startswith/endswith) would group all events of the same user within 8 hours, potentially merging separate sessions inaccurately.

97
MCQeasy

A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?

A.transaction startswith="GET" endswith="POST" maxevents=2
B.transaction startswith="POST" endswith="GET"
C.transaction startswith="GET" endswith="POST"
D.transaction by src_ip startswith="GET" endswith="POST"
AnswerC

Correctly sets start and end conditions.

Why this answer

Option C is correct because the `transaction` command with `startswith="GET"` and `endswith="POST"` groups events into a single transaction that begins with a GET request and ends with a POST request, which matches the requirement for a user visit. The `startswith` and `endswith` arguments define the boundary events for the transaction, and no additional constraints like `maxevents` or `by` fields are needed to implement the basic logic.

Exam trap

Splunk often tests the misconception that `maxevents` is required to limit transaction size, but here the trap is that candidates add unnecessary constraints (like `maxevents=2` or `by src_ip`) that alter the intended grouping logic, or they reverse the `startswith` and `endswith` values, failing to match the required visit flow.

How to eliminate wrong answers

Option A is wrong because `maxevents=2` artificially limits the transaction to exactly two events, which may exclude intermediate events (e.g., additional GETs, POSTs, or other HTTP methods) that occur between the start and end of a real user visit. Option B is wrong because it reverses the start and end conditions (startswith="POST" endswith="GET"), which would group transactions that begin with a POST and end with a GET, the opposite of the required user visit flow. Option D is wrong because adding `by src_ip` groups transactions per source IP, which is unnecessary for the basic logic and could cause transactions to be split incorrectly if the same user visit spans multiple IPs (e.g., due to NAT or proxy) or if multiple users share the same IP.

98
MCQeasy

Refer to the exhibit. The search returns no transactions even though there are login and logout events in the index. What is the most likely cause?

A.The maxpause value is too short.
B.The startswith and endswith options are mispelled.
C.The sourcetype is incorrect.
D.The transaction command may be timing out due to large data volume.
AnswerD

Without limiting fields, the transaction may consume too much memory, causing the search to be killed.

Why this answer

Option C is correct because the exhibit shows no fields option; transaction includes all fields, which may exceed memory limits and cause the search to fail silently. Option A is false because maxpause is reasonable. Option B is false because the syntax is correct.

Option D is false because sourcetype is present.

99
MCQhard

A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search: `index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200` This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?

A.The `amount<50` filter is applied before the transaction, which excludes amounts exactly $50.
B.The search lacks a `fields` command to include `user_id`, so the transaction fails.
C.The `maxspan=1h` is too short; users might spread transactions over more than 1 hour.
D.The `where sum(amount) > 200` does not work as expected because `sum()` is not an aggregation function in that context; you need to use `stats sum(amount)` or `eval total=mvsum(amount)` first.
AnswerD

`sum()` in `where` does not aggregate multivalue fields; it returns the sum of the first value.

Why this answer

Option D is correct because the `transaction` command creates a single multivalue field `amount` containing all amounts from the grouped events. The `where` clause cannot directly aggregate multivalue fields with `sum()`; it requires an explicit `eval` to compute the sum (e.g., `eval total=mvsum(amount)`) or a `stats` command. Without this, the `where` clause evaluates `sum(amount)` as a string operation or fails silently, returning no results.

Exam trap

The trap here is that candidates assume `sum(amount)` works directly in a `where` clause after `transaction`, but Splunk requires explicit multivalue field aggregation functions like `mvsum()` to compute totals from grouped events.

How to eliminate wrong answers

Option A is wrong because the `amount<50` filter correctly excludes transactions of exactly $50, but the problem states the search returns no results even though patterns exist; the issue is not about boundary values. Option B is wrong because the `transaction` command automatically groups events by `user_id` and retains all fields from the original events; no `fields` command is needed to include `user_id`. Option C is wrong because the search explicitly looks for patterns within a 1-hour window, and the problem confirms such patterns exist; the `maxspan=1h` is not the cause of zero results.

100
MCQhard

A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?

A.`transaction user,ip,action maxspan=10m`
B.`transaction user maxspan=10m`
C.`transaction user maxpause=30s`
D.`transaction user mvcount=3`
AnswerB

Groups by user within a 10-minute window, allowing the sequence to be verified later.

Why this answer

Option B is correct because the `transaction` command groups events by the `user` field, and the `maxspan=10m` parameter ensures the entire transaction (all three events) completes within 10 minutes. This allows the three actions (login, privilege escalation, sensitive file access) to occur in any order within that time window, but the security team's requirement is that they occur in sequence; however, `transaction` does not enforce order—it only groups events that share the same `user` and fall within the time span. For strict ordering, you would need to use `transaction` with `ordered=t` or a subsearch, but the question asks for grouping these three events into one transaction, and `transaction user maxspan=10m` is the correct SPL to group all events for the same user within 10 minutes.

Exam trap

Splunk often tests the misconception that `transaction` requires all specified fields to match exactly, leading candidates to include `action` in the transaction fields, which would incorrectly split the three different actions into separate transactions.

How to eliminate wrong answers

Option A is wrong because including `ip` and `action` in the `transaction` fields means the transaction will only group events that share the exact same `ip` and `action` values, which would prevent grouping the three different actions (login, privilege escalation, file access) together since they have different `action` values. Option C is wrong because `maxpause=30s` sets a maximum idle time between events in the transaction, but does not enforce a total time limit of 10 minutes; the attack pattern requires all three events to occur within 10 minutes, not just a 30-second pause between them. Option D is wrong because `mvcount=3` is not a valid parameter for the `transaction` command; `mvcount` is used with `stats` or `eventstats` to count multivalue fields, not to group events into transactions.

101
MCQeasy

A Splunk admin wants to group events that share a common `session_id` field. Events arrive out of order. Which transaction field will automatically sort events correctly?

A.sort=_time
B.Use option `timeordered=true`
C.transaction automatically sorts by time
D.No sorting needed; events are indexed in order
AnswerC

transaction groups and orders events by _time within each group.

Why this answer

Option C is correct because `transaction` automatically sorts events by time within each transaction. Option A (sort) is not a transaction option. Option B (index order) is not guaranteed.

Option D (timeordered) is not a valid option.

102
MCQmedium

An analyst needs to correlate events from a web server log and an application log to identify failed login attempts followed within 5 seconds by an error event. The events share a common session ID field. Which approach should the analyst use?

A.Use `transaction sessionID maxspan=5s` to group events by session ID within 5 seconds
B.Use `append` to combine the two sourcetypes and then `search` for the pattern
C.Use `eventstats` to compute counts by sessionID and then filter
D.Use `stats` with values() and a by clause on sessionID
AnswerA

Transaction groups events sharing the sessionID field and limits the span to 5 seconds, allowing pattern detection.

Why this answer

The `transaction` command is designed to group related events based on shared field values (sessionID) within a specified time boundary (maxspan=5s). This allows the analyst to correlate web server and application log events that share the same session ID and occur within 5 seconds, making it straightforward to identify failed login attempts followed by an error event.

Exam trap

Splunk often tests the misconception that `stats` or `eventstats` can perform event correlation, but these commands aggregate data and lose the individual event sequence required for time-ordered correlation within a specific window.

How to eliminate wrong answers

Option B is wrong because `append` simply concatenates results from two searches without any correlation logic; it does not group events by session ID or enforce a time window. Option C is wrong because `eventstats` computes aggregate statistics (like counts) but does not group individual events into transactions or enforce a 5-second span. Option D is wrong because `stats` with `values()` and a `by` clause aggregates field values per session ID but loses the individual event sequence and time ordering needed to detect a failed login followed by an error within 5 seconds.

103
MCQeasy

Refer to the exhibit. What is the purpose of the 'maxpause=5m' parameter in this search?

A.It limits the number of events in a transaction to 5.
B.It limits the total time span of each transaction to 5 minutes.
C.It pauses the search for 5 minutes between transactions.
D.It closes the transaction if there is no new event from the same clientip within 5 minutes.
AnswerD

Correct: maxpause is the inactivity timeout.

Why this answer

maxpause sets the inactivity timeout: if no new event from the same clientip arrives within 5 minutes, the transaction is closed.

104
MCQhard

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

A.The transaction should group by user instead of src.
B.The case statement does not set stage for events that don't match either pattern.
C.The mvcount(stage) condition is incorrectly checking for >2 and >=2 simultaneously.
D.The `search stage="*"` command is filtering out all transactions because stage is a multivalue field.
AnswerD

Searching stage="*" does not match multivalue fields; it matches a literal asterisk. Should use `where isnotnull(stage)`.

Why this answer

The `search stage="*"` command filters out all transactions because `stage` is a multivalue field created by the `transaction` command. In Splunk, a multivalue field cannot be matched with a simple wildcard search like `stage="*"`; this search only returns events where `stage` is a single literal asterisk. To search for any value in a multivalue field, you must use `mvcount(stage)>0` or `search stage=*` (without quotes).

Exam trap

Splunk often tests the subtle difference between `field="*"` (literal asterisk) and `field=*` (wildcard) in the context of multivalue fields, tricking candidates into thinking a quoted wildcard works the same as an unquoted one.

How to eliminate wrong answers

Option A is wrong because the search already groups by `src` (source IP), which is the correct field for detecting brute-force attacks from the same IP; grouping by `user` would miss attacks where the same IP tries multiple usernames. Option B is wrong because the `case` statement does set `stage` for events that match either pattern (failed or successful login), and events that don't match either pattern are irrelevant to the attack detection and can be ignored. Option C is wrong because `mvcount(stage)>2` and `mvcount(stage)>=2` are not mutually exclusive; the condition `mvcount(stage)>2 AND mvcount(stage)>=2` is redundant but not logically incorrect—it would still match transactions with 3 or more events, but the real issue is that the preceding `search` command eliminates all transactions before this condition is evaluated.

105
MCQeasy

A security analyst wants to group all events from a single web session into one transaction. The session is identified by a 'sessionId' field, and events are generated over a period that can last up to 30 minutes. The analyst also wants to close the transaction if there is no activity for more than 10 minutes. Which transaction parameters should be used?

A.maxspan=30m, maxpause=5m
B.maxspan=10m, maxpause=30m
C.maxspan=1h, maxpause=10m
D.maxspan=30m, maxpause=10m
AnswerD

Correctly sets total duration and inactivity timeout.

Why this answer

The maxspan parameter sets the maximum total duration of the transaction, while maxpause sets the inactivity timeout. Option A correctly specifies maxspan=30m and maxpause=10m.

106
Multi-Selectmedium

Which TWO statements correctly describe the behavior of the transaction command in Splunk?

Select 2 answers
A.It is not recommended for use with large datasets because it consumes too much memory.
B.It merges all fields from all events into a single event, with the last event's field value taking precedence.
C.It can concatenate the raw text of all events in the transaction into a single event.
D.It automatically calculates the duration of each transaction as the difference between the first and last event timestamps.
E.It can close a transaction based on a change in a specific field value or after a specified timeout.
AnswersC, E

The transaction command can combine raw event text from all related events into one event.

Why this answer

Option C is correct because the transaction command can be configured with the `mvraw` option to concatenate the raw text of all events in the transaction into a single event. This is useful when you need to preserve the full log lines of a correlated sequence, such as a multi-step user session or a series of API calls.

Exam trap

The trap here is that candidates often confuse the transaction command's field merging behavior (which creates multivalue fields) with the `stats values()` function, or assume duration is automatically calculated without the `duration` option, leading them to select option B or D incorrectly.

107
MCQmedium

A Splunk user wants to correlate events from different sourcetypes (web_access, app_log) that belong to the same user session identified by session_id. The events should be grouped only if they occur within 30 minutes of each other, and each transaction should contain at least one event from each sourcetype. Which SPL construct should they use?

A.`append [search sourcetype=app_log]` then sort by session_id
B.`transaction session_id maxspan=30m`
C.`sourcetype=web_access OR sourcetype=app_log | eval session=session_id` then `stats values(*) as * by session`
D.`join type=inner session_id [search sourcetype=app_log]` after a search on web_access
AnswerB

Transaction groups events by session_id within 30 minutes, fulfilling both requirements.

Why this answer

The `transaction` command groups events that share a common field (`session_id`) and allows you to set constraints like `maxspan=30m` to limit the time window between the first and last event in the transaction. By default, `transaction` requires at least one event from each sourcetype present in the search, which satisfies the requirement that each transaction contains at least one event from both `web_access` and `app_log`. This is the correct construct for correlating events across sourcetypes with a time-bound grouping.

Exam trap

Splunk often tests the distinction between `transaction` and `stats` or `join`; the trap here is that candidates mistakenly think `stats` can group events with time constraints, but `stats` lacks the ability to enforce a `maxspan` or require events from multiple sourcetypes within the same group.

How to eliminate wrong answers

Option A is wrong because `append` simply adds results from a second search to the main results without any grouping or correlation logic; it does not group events by session_id or enforce a 30-minute span. Option C is wrong because `stats values(*) as * by session` aggregates all fields into multivalue lists but does not enforce a time window or require that each group contains events from both sourcetypes; it also renames fields in a way that loses sourcetype context. Option D is wrong because `join type=inner` on `session_id` performs a field-based join that requires exact matches on the session_id field, but it does not impose a 30-minute time constraint and does not group events into a single transaction; it merely pairs matching events row-by-row.

108
MCQeasy

A security team needs to group login events for the same user within a 5-minute window. Which transaction option should be used to limit the time between consecutive events?

A.maxspan
B.maxpause
C.startswith
D.endswith
AnswerB

maxpause limits the idle time between events in a transaction.

Why this answer

Option C is correct because maxpause sets the maximum time between consecutive events in a transaction. Option A (maxspan) sets total transaction duration, not pause duration. Option B (startswith) defines start condition.

Option D (endswith) defines end condition.

109
Multi-Selecthard

Which TWO of the following are valid reasons to use transaction instead of stats for event correlation?

Select 2 answers
A.When you need to preserve the full events for each group.
B.When working with very large datasets.
C.When you need to enforce a time window between events.
D.When you need faster search performance.
E.When events come from different sourcetypes.
AnswersA, C

transaction returns all original events within each group.

Why this answer

Options A and D are correct. transaction preserves raw event data and allows time-bound grouping. Option B is false because stats is faster. Option C is false because transaction cannot correlate across different sourcetypes without additional fields.

Option E is false because stats is better for large datasets.

110
MCQhard

Refer to the exhibit. An analyst runs the above search to test transaction behavior. What is the likely result?

A.One transaction with 5 events, avg duration ~50s
B.One transaction with 5 events, avg duration ~10s
C.Multiple transactions, each with fewer events, avg duration less than 10s
D.No transactions created because events are out of order
AnswerC

Events spread beyond 10s window will form separate transactions, each short.

Why this answer

Option D is correct because maxspan=10s limits the total time window; with random timestamps spread over up to 100 seconds, most events will not fit within a 10-second window, so transactions will be split into multiple groups. The avg(duration) will be small. Option A is wrong because not all 5 events are in one transaction.

Option B is wrong because duration is not constant. Option C is wrong because transactions will be created but split.

111
MCQmedium

A large e-commerce site logs all user page views and purchases. Each event contains user_id, session_id, timestamp, and event_type (view or purchase). The marketing team wants to analyze the sequence of views that lead to a purchase. They use `transaction session_id startswith="view" endswith="purchase" maxspan=1h`. However, they find that some transactions are missing purchase events because the purchase occurs after 1 hour, or sometimes multiple purchases occur within the same session. To include all related events and correctly identify the sequence leading to each purchase, what is the best approach?

A.Use `stats list(event_type) by session_id` with time sorting to reconstruct the sequence.
B.Use `transaction session_id startswith="view" endswith="purchase" maxspan=1h keepevicted=true` to see partial sequences.
C.Increase maxspan to 24h to capture all potential purchases.
D.Use `transaction user_id maxspan=1h` without startswith/endswith to group all events.
AnswerA

Correct: stats list maintains event order per session and naturally handles multiple purchases and any time span.

Why this answer

Option C is correct because using `stats list(event_type) by session_id` with a sort on timestamp preserves the order of events and handles multiple purchases and variable time spans without the limitations of transaction. Option A (increase maxspan to 24h) would still break on multiple purchases and increase memory usage. Option B (group by user_id) loses session distinction and may merge separate sessions.

Option D (keepevicted=true) still requires a start and end for each purchase, missing scenarios where purchase occurs after the window.

112
MCQmedium

A search uses `transaction` with wildcard fields (e.g., `*id`), causing poor performance. What is the best practice to optimize this?

A.Specify exact field names instead of wildcards
B.Use `transaction *id, nullif=null`
C.Increase maxopentxn in limits.conf
D.Replace transaction with stats
AnswerA

Transaction matches fields exactly; wildcards slow down because Splunk must evaluate multiple fields.

Why this answer

Option C is correct because using specific field names improves performance by avoiding wildcard matching. Option A (increase limits) doesn't address wildcard inefficiency. Option B (use stats) might help but changes approach.

Option D (regex) is not a transaction option.

113
Drag & Dropmedium

Order the steps to set up a data input for monitoring a log file in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Adding a file monitor involves selecting the input type, specifying the file, and configuring source type and index.

114
MCQeasy

A search uses transaction to group login and logout events. What happens if a user has multiple logins before logging out?

A.The search will fail due to overlapping transactions.
B.The transaction will include the first login and all events until the first logout.
C.It will create multiple transactions for each login.
D.It will ignore the first login and start at the last login.
AnswerB

startswith begins at the first match, ends at first endswith after that.

Why this answer

Option A is correct because transaction with startswith/endswith will group from the first start to the first end; subsequent start events are ignored if end is not reached. Option B is false because transaction does not create multiple groups. Option C is false because the first start is used.

Option D is false because maxpause may cause eviction but not necessarily.

115
Multi-Selectmedium

Which TWO options can be used with the `transaction` command to control how many events are included in a single transaction?

Select 2 answers
A.mvcount
B.maxspan
C.maxpause
D.keepevicted
E.maxevents
AnswersB, E

Indirectly limits events by time.

Why this answer

maxevents limits the number of events per transaction. maxspan limits the time span, indirectly limiting events. maxpause limits the pause between events.

116
Multi-Selecteasy

Which TWO of the following are limitations of the transaction command in Splunk?

Select 2 answers
A.It cannot be used inside an eval statement.
B.It only works with indexed fields.
C.It defaults to a maximum of 1000 events per transaction.
D.It cannot correlate events from multiple sourcetypes.
E.It can consume significant memory and processing resources.
AnswersC, E

The default maxevents is 1000.

Why this answer

Option C is correct because the transaction command defaults to a maximum of 1000 events per transaction. If a transaction exceeds this limit, Splunk will close the transaction and start a new one, which can lead to incomplete or unexpected results. This limit can be increased using the maxevents argument, but it is a key constraint to be aware of when correlating large sequences of events.

Exam trap

The trap here is that candidates often assume the transaction command can only use indexed fields or cannot cross sourcetypes, but Splunk's transaction command is flexible with any search-time field and can correlate across multiple sourcetypes, making options B and D common distractors.

117
MCQhard

A large enterprise runs Splunk Enterprise with 500 servers forwarding Windows security logs. The security team wants to correlate failed logins (EventCode 4625) with subsequent successful logins (EventCode 4624) from the same source IP within a 5-minute window. They currently use the following search: index=windows sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | transaction src_ip maxpause=5m | search EventCode=4625 AND EventCode=4624. This search is extremely slow and often times out. Which approach would improve performance while maintaining the same correlation logic?

A.Use the append command to combine the two event types after separate searches.
B.Add maxevents=1000 to the transaction command to limit event count.
C.Increase maxpause to 10 minutes to allow more events per transaction.
D.Replace transaction with a combination of stats and where that groups by src_ip and then filters for pairs.
AnswerD

Using stats with values and where reduces memory overhead and improves performance.

Why this answer

Option C is correct because using stats with values and filtering with where is less resource-intensive than transaction. Transaction holds all events in memory until the transaction closes, which is especially problematic with many events. Stats operates as a streaming command and uses less memory.

Option A is incorrect because increasing maxpause would allow more events per transaction, making performance worse. Option B is incorrect because append does not correlate events by source IP; it simply combines results. Option D is incorrect because the default maxevents is already 1000, and increasing it would not help if the transaction is timing out due to memory or time limits.

118
MCQeasy

When using the transaction command to group events, which field is automatically added to the event to indicate the start time of the transaction?

A._time
B.duration
C.None, the transaction command does not add such a field.
D._starttime
AnswerD

Correct: transaction adds _starttime field.

Why this answer

Transaction adds _starttime, _endtime, duration, and eventcount fields. _starttime represents the timestamp of the first event in the transaction.

119
MCQhard

A team wants to correlate events from different sourcetypes (web, db) on a common `sessionid`. They use `transaction sessionid` across both sourcetypes. The results show that some transactions are missing events. What is the most likely cause?

A.The search is running at 'info' level instead of 'verbose'
B.Timestamps from different sourcetypes are misaligned
C.maxevents is set too low
D.sessionid field has different names in each sourcetype
AnswerB

Transaction relies on _time; if timestamps are inconsistent, events fall outside the transaction window.

Why this answer

Option B is correct because sourcetypes may have different timestamp formats or time zones, causing events to be incorrectly sorted out of the transaction window. Option A (maxevents) would truncate but not miss events. Option C (field name) is unlikely.

Option D (search time level) is not relevant.

120
MCQhard

A large e-commerce company uses Splunk to analyze customer purchase funnels. Their environment includes 10 indexers and a search head cluster. They have a search that runs every 5 minutes to correlate events from web logs, order logs, and payment logs using the `transaction` command on a common `order_id` field. The search uses `transaction order_id maxevents=50 maxspan=30m`. Recently, users have reported that some orders are missing from the results, especially for high-volume periods. The team also notices that dashboard searches often timeout. They suspect the transaction command is the bottleneck. Upon examining the search, they see that the web logs alone generate hundreds of events per order. Which course of action would best address the missing orders and performance issues?

A.Increase maxevents to 200 and increase search timeout
B.Remove maxpause and set maxspan to 60m
C.Reduce maxevents to 10 to limit resource usage
D.Replace transaction with stats by order_id, using list() for relevant fields and evaluating event order separately
AnswerD

Using stats is more memory-efficient and does not have maxevents limits; it can aggregate all events per order without eviction, and performance improves because it avoids the overhead of tracking open transactions.

Why this answer

Option B is correct because reducing maxevents to a lower value (e.g., 10) will prematurely close transactions with excessive events, causing missing data. Option A (increasing maxevents) may worsen performance. Option C (removing maxpause) could cause transactions to stay open longer, not fix missing orders.

Option D (using stats) is a common recommendation to replace transaction with a more efficient approach; stats with list() can group fields without holding open transactions, improving performance and avoiding evictions. However, note that missing orders are due to maxevents being reached; stats would not have that limitation and is more efficient. But the question says 'best address missing orders and performance issues.' Option D (replace transaction with stats) is the best long-term solution.

Option A would still risk evictions if orders have more than 50 events, and it increases memory. Option B would worsen the problem. Option C doesn't address the root cause.

So D is correct.

121
MCQeasy

Refer to the exhibit. A Splunk user runs the search shown. The search returns results, but the user notices that some clientip values appear multiple times in the stats output, even though they should have been grouped into a single transaction. What is the most likely reason for this?

A.The sourcetype filter is excluding some events.
B.The stats command is not correctly summing the counts.
C.The maxspan is too short to capture all events for each clientip.
D.The maxevents option prevents more than 5 events from being grouped into one transaction, so additional events form separate transactions.
AnswerD

maxevents=5 limits the number of events per transaction, causing fragmentation.

Why this answer

Option D is correct because the `transaction` command's `maxevents` option limits the maximum number of events that can be grouped into a single transaction. When more than 5 events exist for a given `clientip`, the extra events cannot be included in the first transaction and instead form separate transactions, causing the same `clientip` to appear multiple times in the `stats` output.

Exam trap

The trap here is that candidates often assume `maxevents` only limits the number of events per transaction but forget that exceeding this limit causes the creation of additional transactions for the same grouping field, leading to duplicate identifiers in aggregated output.

How to eliminate wrong answers

Option A is wrong because the sourcetype filter is not excluding events; the search returns results, so all relevant events are present. Option B is wrong because the `stats` command correctly sums counts; the issue is that multiple transactions are created for the same `clientip`, not a miscalculation. Option C is wrong because the `maxspan` is not mentioned in the search; the problem is caused by `maxevents=5`, not by a time-based constraint.

122
Multi-Selectmedium

Which TWO of the following are valid ways to correlate events without using the transaction command?

Select 2 answers
A.Using append to combine events from two searches
B.Using join to merge events on transactionID
C.Using sort to order events by transactionID
D.Using eventstats to compute counts per transactionID
E.Using stats ... by transactionID
AnswersD, E

eventstats adds aggregate values to each event, linking them.

Why this answer

Options A and B are correct. stats can group events by common fields, and eventstats can add aggregated values per event. streamstats is also possible but not listed; join and append are not correlation methods.

123
MCQeasy

An analyst runs `sourcetype=access_combined | transaction clientip` and notices many single-event transactions. Which option would help close transactions more accurately?

A.Add `endswith="status=200"`
B.Increase maxpause to 1 hour
C.Do nothing; single events are fine
D.Set closedelay=10
AnswerA

endswith ensures transaction closes when a logout or end event occurs.

Why this answer

Option A is correct because adding `endswith` helps define when a transaction should close, reducing false single-event transactions (e.g., 200 status often indicates end). Option B (maxpause) might help but not as targeted. Option C (closedelay) is not valid.

Option D (null) is not helpful.

124
MCQhard

A Splunk administrator is correlating events from two sourcetypes using transaction with startswith and endswith. The transaction rarely matches events even though they exist. What is the most likely cause?

A.The maxpause value is too high.
B.Events from the two sourcetypes are not in chronological order.
C.The fields option is missing.
D.The startswith and endswith patterns are too broad.
AnswerB

Events must be sorted by time; if sourcetypes have different timestamps, transaction may fail to correlate.

Why this answer

Option D is correct because transaction requires events to be in chronological order within the same index and host by default. If events are out of order, they won't be matched. Options A and B are plausible but less common; option C is false.

125
MCQmedium

An analyst uses transaction to group web requests by session_id. Some transactions are unexpectedly large, containing hundreds of events. What parameter should be adjusted to limit the number of events per transaction?

A.maxspan
B.maxpause
C.mvcount
D.maxevents
AnswerD

Correct: maxevents caps the number of events per transaction.

Why this answer

Option B is correct because maxevents limits the number of events in a transaction. Option A (maxspan) limits time, not count. Option C (maxpause) limits idle time.

Option D (mvcount) counts multivalue fields, not events.

← PreviousPage 2 of 2 · 125 questions total

Ready to test yourself?

Try a timed practice session using only Transactions and Event Correlation questions.