CCNA Transactions Event Correlation Questions

75 of 125 questions · Page 1/2 · Transactions Event Correlation topic · Answers revealed

1
Multi-Selecthard

In a Splunk environment, an analyst is using the transaction command to group events from different sources. Which THREE factors are most important to consider when designing the transaction search for optimal performance? (Choose three.)

Select 3 answers
A.Use the 'mvlist' option to store multiple values.
B.Use a large maxevents value to ensure all events are captured.
C.Apply efficient search-time field extractions to avoid using the transaction command across unindexed fields.
D.Limit the time range of the search using maxspan.
E.Use fields with low cardinality for grouping.
AnswersC, D, E

Correct: Improves search performance.

Why this answer

Options B, D, and E are correct. Low cardinality fields reduce open transactions, maxspan narrows the time window, and efficient field extractions avoid heavy operations. Option A (large maxevents) hurts performance, Option C (mvlist) is not a standard option.

2
MCQeasy

An analyst wants to ensure that a transaction is only considered complete when it contains a specific end event. Which transaction parameter should be used?

A.startswith
B.endswith
C.maxpause
D.maxspan
AnswerB

Correct: endswith specifies the closing event.

Why this answer

Option D is correct because endswith defines the event that closes a transaction. Option A (startswith) defines the start event. Option B (maxspan) bounds total time.

Option C (maxpause) bounds idle time.

3
MCQmedium

A Splunk administrator is tuning a dashboard that uses `transaction` to correlate web server events. The dashboard frequently times out. The admin reviews the search and sees `transaction client_ip maxspan=1h maxpause=30m`. The dataset contains about 10 million events per hour. The admin suspects that the transaction is causing the timeout. Which action should they take to improve performance while still achieving the grouping?

A.Replace transaction with streamstats to create a session ID, then use stats to aggregate
B.Add `maxevents=100` to limit events per transaction
C.Reduce maxspan to 15m and maxpause to 5m
D.Increase the search job concurrency
AnswerA

streamstats can process events sequentially and assign IDs, then stats can group without the full overhead of transaction.

Why this answer

The current transaction has generous limits. Using `transaction` on a large dataset is memory-intensive. A better approach is to pre-aggregate using `stats` or use `streamstats` to compute session boundaries.

Option D is the most practical: use `streamstats` to assign session IDs and then use `stats` to group, which is more efficient.

4
Multi-Selecthard

Which THREE of the following are valid use cases for the `transaction` command in Splunk?

Select 3 answers
A.Identifying a sequence of events that indicate a brute-force attack (multiple failed logins followed by a success).
B.Generating an alert when a transaction contains more than five events.
C.Grouping all events from a single user session across multiple web servers into one transaction.
D.Enriching events with external data from a CSV file based on a common key.
E.Correlating a customer's browsing activity with a subsequent purchase event to calculate conversion rate.
AnswersA, C, E

Transaction can group events by user and then you can search for the pattern.

Why this answer

Option A is correct because the `transaction` command groups related events into a single transaction based on common fields and temporal constraints. In this case, it can group multiple failed login events followed by a successful login for the same user, which is a classic indicator of a brute-force attack. The command allows you to set `maxspan` and `maxpause` to define the time window and gap between events, making it ideal for detecting such sequences.

Exam trap

The trap here is that candidates confuse the `transaction` command with other commands like `stats` or `lookup`, or mistakenly think it can directly trigger alerts, when in fact it only creates transaction objects that can then be used in alerts or further processing.

5
Multi-Selecteasy

Which TWO statements about the 'transaction' command are true? (Choose two.)

Select 2 answers
A.The 'transaction' command cannot be used with the 'stats' command.
B.The 'transaction' command only works on indexed fields.
C.The 'transaction' command can include events from multiple sourcetypes.
D.The 'transaction' command groups events based on common field values and time proximity.
E.The 'transaction' command requires all events to be from the same host.
AnswersC, D

Correct: Events from different sourcetypes can be grouped.

Why this answer

Options A and B are correct. Transaction groups events by common field values and time proximity, and it can include multiple sourcetypes. Option C is false (transaction does not require same host), Option D is false (it can be used with stats), Option E is false (works on any field).

6
MCQmedium

An analyst runs the following search to correlate login and logout events: `index=auth | transaction user startswith="LOGIN" endswith="LOGOUT"`. However, some transactions span over 24 hours. Which option should be added to limit each transaction to a maximum of 8 hours?

A.maxevents=10
B.duration=8h
C.maxpause=8h
D.maxspan=8h
AnswerD

maxspan restricts the transaction to an 8-hour window.

Why this answer

Option D is correct because maxspan=8h limits the total time window of the transaction to 8 hours. Option A (maxpause) limits inactivity, not total duration. Option B (maxevents) limits event count.

Option C (duration) is not a valid transaction option.

7
Multi-Selectmedium

Which TWO options are valid parameters of the `transaction` command?

Select 2 answers
A.timeformat
B.maxpause
C.sequential
D.keepevicted
E.fieldlist
AnswersB, D

maxpause defines maximum pause between events.

Why this answer

Correct options: B (maxpause) and D (keepevicted). Option A (timeformat) is for time parsing, not transaction. Option C (fieldlist) is not a parameter; fields are given as arguments.

Option E (sequential) is not a parameter.

8
MCQhard

A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?

A.transaction by transaction_id
B.transaction by sourcetype transaction_id
C.transaction maxspan=1d by transaction_id
D.transaction startswith=* endswith=* by transaction_id
AnswerA

Correctly groups by the common field without time limits.

Why this answer

Option A is correct because the `transaction` command with `by transaction_id` groups all events sharing the same `transaction_id` field value into a single transaction, with no default time constraints. This matches the requirement to correlate events across `web_access`, `auth_log`, and `app_log` sourcetypes without any time window restrictions.

Exam trap

The trap here is that candidates often add unnecessary time constraints (like `maxspan=1d`) or marker arguments (`startswith`/`endswith`) when the requirement explicitly states no time constraints, or they incorrectly include `sourcetype` in the `by` clause, which would split transactions across sourcetypes instead of grouping them.

How to eliminate wrong answers

Option B is wrong because `by sourcetype transaction_id` would group events by unique combinations of `sourcetype` and `transaction_id`, which would split events with the same `transaction_id` across different sourcetypes into separate transactions, defeating the cross-sourcetype correlation requirement. Option C is wrong because `maxspan=1d` imposes a 24-hour time constraint on the transaction, which the user explicitly stated should not be applied. Option D is wrong because `startswith=* endswith=*` defines start and end markers for the transaction, which is unnecessary and could cause unintended grouping behavior when all events should simply be grouped by `transaction_id` without marker logic.

9
MCQhard

A financial services company uses Splunk to correlate events from multiple applications. Analysts often use `transaction user_id` to group events, but they notice that this command significantly increases search time and memory usage. After investigating, they find that certain 'user_id' values are extremely frequent (e.g., service accounts) causing huge transactions with thousands of events, which exhaust search memory. The team needs to continue grouping by user_id but must avoid performance issues. They also need to preserve the ability to compute statistics like transaction duration. Which approach best addresses both concerns?

A.Set `maxpause=1m` to break large transactions by gaps
B.Use `transaction user_id maxspan=5m maxevents=100`
C.Exclude service accounts using `where user_id!="svc*"` before transaction
D.Switch to `stats values(_raw) by user_id` to avoid transaction overhead
AnswerB

Limits both total time and event count, preventing memory overload.

Why this answer

Using `transaction user_id maxevents=100 maxspan=5m` limits the size of each transaction, preventing the large transactions. Alternatively, pre-filtering to remove noisy accounts can help, but limiting maxevents is more robust. Option C is the most direct fix.

10
MCQmedium

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

A.Increase maxspan to allow more events to complete.
B.Use the 'mvlist' option to list all user_uuid values.
C.Use the 'keepevicted=true' option and then filter out evicted events in a subsequent search.
D.Add 'closed_txn=1' to the transaction command to only output complete transactions.
AnswerC

keepevicted=true preserves events that were not included in any transaction, allowing you to analyze or exclude them.

Why this answer

Option C is correct because the `keepevicted=true` parameter causes the `transaction` command to output events that were evicted from the transaction window (orphans) with an `evicted` field set to 1. You can then filter out these evicted events in a subsequent search using `where evicted=0`, which isolates only complete transactions and removes the performance overhead of orphan events.

Exam trap

The trap here is that candidates confuse `keepevicted` with a way to keep orphan events in the output, when in fact it marks them with an `evicted` field so you can explicitly filter them out, and they may also incorrectly assume `closed_txn` is a valid parameter without knowing its exact syntax (`closed_txn=t`).

How to eliminate wrong answers

Option A is wrong because increasing `maxspan` would actually allow more events to be considered for a transaction, potentially increasing the number of orphan events and worsening performance, not solving the issue. Option B is wrong because `mvlist` is not a valid option for the `transaction` command; it is used with `stats` or `eventstats` to list multivalue fields, and it does not help identify or exclude orphan events. Option D is wrong because `closed_txn=1` is not a valid parameter for the `transaction` command; the correct way to output only complete transactions is to use the `closed_txn=t` option, but even then, it does not help identify orphan events for exclusion—it simply suppresses incomplete transactions from output, which may hide the problem but not address the underlying performance impact.

11
MCQhard

A Splunk search uses 'transaction' with a large dataset and causes a 'max transaction' error. What is the most likely cause and best practice to avoid it?

A.The transaction command is used on non-indexed fields; use indexed fields instead.
B.The number of open transactions exceeds the limit; use fields to reduce cardinality or increase maxopentxn.
C.The maxspan value is too low; increase maxspan.
D.The maxevents value is too low; increase maxevents.
AnswerB

Correct: This resolves the max transaction error.

Why this answer

Option B is correct. The error indicates the number of open transactions exceeded the limit (maxopentxn). Reducing field cardinality or increasing maxopentxn helps.

Options A, C, and D address other issues.

12
MCQmedium

An analyst wants to correlate events from multiple sourcetypes that have different timestamps but share a common reference ID. The events are ingested with some delay. Which parameter is crucial to ensure the transaction captures all related events despite ingestion delay?

A.maxpause
B.maxevents
C.fields _indextime
D.maxspan
AnswerD

Correct: a large maxspan gives time for delayed events to arrive.

Why this answer

Option D is correct because a large maxspan accommodates delays in event arrival. Option A (maxpause) would not capture events if there is a large gap. Option B (maxevents) does not affect time.

Option C (fields _indextime) is irrelevant.

13
MCQmedium

A large transaction command is causing the search to run out of memory. Which approach best reduces memory usage while maintaining the transaction logic?

A.Increase the maxeventtokens setting.
B.Use the fields option to include only necessary fields.
C.Replace transaction with stats to aggregate.
D.Use timeline to store transactions.
AnswerB

Limiting fields reduces the data per event, lowering memory consumption.

Why this answer

Option A is correct because using the fields option limits the fields carried in each event of the transaction, reducing memory. Option B (increasing maxeventtokens) would increase memory usage. Option C (using stats) changes the correlation approach.

Option D (timeline) is irrelevant.

14
Multi-Selectmedium

Which THREE of the following are correct about the transaction command's default behavior?

Select 3 answers
A.Transaction groups events by host, source, and sourcetype by default.
B.Transaction does not require startswith or endswith to be specified.
C.Transaction can evict partial transactions if maxpause is exceeded.
D.Transaction requires all events to come from the same host.
E.Transaction always includes all evicted events in the results.
AnswersA, B, C

Default grouping fields are host, source, and sourcetype.

Why this answer

Options A, C, and D are correct. Transaction by default groups by host, source, and sourcetype; it does not require startswith/endswith; and it can evict partial transactions if maxpause is exceeded. Option B is false because events can span multiple hosts.

Option E is false because keepevicted retains evicted transactions.

15
MCQmedium

A search uses `transaction sessionId` to correlate events. However, the transaction command is consuming too much memory and the search fails. Which approach can reduce memory usage while still approximating the transaction grouping?

A.Add `maxevents=100` to the transaction
B.Use `dedup sessionId`
C.Use `stats values(_raw) by sessionId`
D.Increase the search job memory limit
AnswerC

stats is lighter and can group events by a common field without the overhead of transaction.

Why this answer

Using `stats values(_raw) by sessionId` aggregates raw events into a multivalue field, which is more memory-efficient than transaction because it does not try to compute duration or keep all event metadata.

16
MCQmedium

A team is using the transaction command to group web server access logs into user sessions. They notice some sessions are missing because the transaction command defaults to combining events with identical field values if they occur within a default time window. What is the default maxspan value for the transaction command?

A.1 minute
B.-1 (no default limit)
C.30 seconds
D.5 minutes
AnswerB

Correct: The default maxspan is -1, meaning no time limit.

Why this answer

Option B is correct. The default maxspan is -1 (unlimited). Options A, C, and D are common misconceptions but incorrect.

17
Multi-Selectmedium

Which THREE strategies can help reduce memory usage when using the transaction command? (Select exactly 3 correct answers.)

Select 3 answers
A.Filter events before the transaction command.
B.Reduce maxspan and maxpause.
C.Use fields to limit fields before transaction.
D.Use keepevicted=true.
E.Increase maxopentxn.
AnswersA, B, C

Correct: reducing input events lowers memory usage.

Why this answer

Reducing maxspan and maxpause limits the time window, thus fewer open transactions. Filtering events early and using the fields command to limit fields reduce data volume. Increasing maxopentxn and keepevicted=true increase memory usage.

18
MCQeasy

An analyst runs `transaction user_id` to correlate events from a web server. The resulting transaction events have a field 'duration' that shows the time between the first and last event. However, some transactions span over 30 minutes. What transaction option should be added to limit the maximum time between the first and last event?

A.maxspan=30m
B.maxpause=30m
C.maxevents=30
D.contime=30m
AnswerA

Correctly limits the transaction span to 30 minutes.

Why this answer

The maxspan option sets the maximum time span from the first event to the last event in a transaction.

19
MCQmedium

Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?

A.The maxpause=5m is too short, causing the transaction to close before other events occur.
B.The session_id field is only populated for the 'Accepted publickey' event, so other events have a different or null session_id and do not join the transaction.
C.The transaction command requires that all events have a non-null session_id to be grouped.
D.The sourcetype filter is too restrictive.
AnswerB

Only the start event gets a session_id; other events have null, so they are not grouped.

Why this answer

Option B is correct because the `transaction` command groups events by the `session_id` field. If `session_id` is only extracted from 'Accepted publickey' events (e.g., via a `rex` or `eval` command), subsequent commands and logout events will have a null or different `session_id`. Since `transaction` requires all events in the group to share the same `session_id` value, those other events cannot join the transaction, resulting in a transaction containing only the single 'Accepted publickey' event.

Exam trap

The trap here is that candidates often assume `maxpause` or timing is the culprit, but the real issue is that the `transaction` command requires all events in the group to share the same value for the specified field(s), and if the field is missing or null on other events, they cannot be correlated.

How to eliminate wrong answers

Option A is wrong because `maxpause=5m` defines the maximum time between events in the same transaction; if other events occur within 5 minutes, they would still be included if they shared the same `session_id`. The issue is not timing but field availability. Option C is wrong because the `transaction` command does not require all events to have a non-null `session_id`; it groups events by the specified field(s), and events with a null `session_id` simply will not match the non-null value of the 'Accepted publickey' event.

Option D is wrong because the sourcetype filter is not mentioned in the exhibit or question as being overly restrictive; the problem is specifically about the `session_id` field not being populated on other events, not about sourcetype filtering.

20
MCQmedium

A network operations team monitors firewall logs using Splunk. They need to group events from the same TCP session, identified by 'src_ip', 'dst_ip', and 'src_port'. The logs contain events for 'session_start', 'data_transfer', and 'session_end' actions. They currently use `transaction src_ip dst_ip src_port startswith=action=session_start endswith=action=session_end`. However, many transactions are incomplete because some sessions do not have a 'session_end' event due to firewall timeouts. The team wants to include these incomplete sessions as well, but still group them around a start event. What should they modify?

A.Add `maxspan=30m` and keep endswith
B.Remove endswith and add maxspan=30m
C.Change startswith to `action=session_start OR action=session_end`
D.Use `transaction src_ip dst_ip src_port maxspan=30m` without startswith or endswith
AnswerB

Startswith defines start; maxspan closes the transaction automatically after 30 minutes if no end.

Why this answer

To include incomplete sessions, use `transaction src_ip dst_ip src_port startswith=action=session_start maxspan=30m` without endswith. This will create a transaction starting with session_start and ending after maxspan or if another start event is encountered.

21
Multi-Selecteasy

Which THREE statements about the `transaction` command are true?

Select 3 answers
A.It can correlate events from different sourcetypes
B.The maxevents option limits the number of unique field values per transaction
C.It sorts events within each transaction by _time
D.It can correlate events across multiple indexes
E.Transaction always produces summary indexing output
AnswersA, C, D

Transaction groups events based on shared field values regardless of sourcetype.

Why this answer

Correct: A (can use fields from different sourcetypes), B (automatically sorts events by _time), E (can correlate events across multiple indexes). Option C is false because maxevents limits event count, not field values. Option D is false because transaction does not produce summary indexing output by default.

22
Matchingmedium

Match each Splunk component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Indexes and stores incoming data

Distributes search requests and merges results

Sends data to indexers or other forwarders

Manages configuration of forwarders

Manages license usage across the deployment

Why these pairings

These are core components of a Splunk distributed environment.

23
MCQmedium

An analyst is using the transaction command to group events by a field that has high cardinality (millions of unique values). The search is taking too long and consuming too much memory. Which approach should be taken to improve performance?

A.Reduce the cardinality of the field by using a derived field with fewer values.
B.Use the 'maxspan' option to narrow the time window.
C.Use the 'mvlist' option to reduce field storage.
D.Use the 'maxevents' option to limit number of events per transaction.
AnswerA

Correct: Reduces open transactions and improves performance.

Why this answer

Option D is correct. High cardinality causes many open transactions; reducing cardinality (e.g., using a derived field) improves performance. Options A and B help but are not the primary cause; Option C is not a valid option.

24
MCQhard

A Splunk administrator notices that a `transaction` command used for correlating VPN login and logout events is consuming excessive memory and causing search timeouts. The transaction groups events by `user` with `maxspan=12h` and `maxpause=30m`. The VPN logs contain millions of events per day. Which design change would most effectively reduce resource consumption while maintaining the ability to correlate logins and logouts within the same session?

A.Remove the maxpause option from the transaction command to simplify grouping.
B.Reduce maxspan to 4h to limit the time window for grouping events.
C.Replace the transaction command with a stats command using earliest and latest functions on the event type.
D.Add maxevents=2 to the transaction command to limit each transaction to exactly two events.
AnswerC

Using `stats earliest(_time) as login, latest(_time) as logout by user` is much more memory efficient and still captures session boundaries.

Why this answer

Option C is correct because replacing `transaction` with `stats` using `earliest` and `latest` eliminates the in-memory event buffering that causes memory exhaustion. `transaction` holds all events in memory until the transaction boundary (maxspan/maxpause) is reached, which is extremely expensive for millions of VPN events. `stats` processes events in a streaming fashion, computing the first and last timestamps per user without storing the full event list, drastically reducing memory and avoiding timeouts.

Exam trap

Splunk often tests the misconception that reducing time windows or event counts in `transaction` solves memory issues, but the real trap is that `transaction` always buffers events in memory, whereas `stats` is a streaming command that avoids this bottleneck entirely.

How to eliminate wrong answers

Option A is wrong because removing `maxpause` would cause the transaction to never close on idle gaps, leading to even larger in-memory buffers and worse memory consumption. Option B is wrong because reducing `maxspan` to 4h only limits the time window but does not address the fundamental issue of `transaction` buffering all events per user in memory; it may still cause memory exhaustion with high event volumes. Option D is wrong because `maxevents=2` assumes exactly one login and one logout per session, but VPN logs may have multiple login attempts or reconnections; this would break correlation for legitimate multi-event sessions and still not reduce memory if events arrive out of order or within the pause window.

25
MCQmedium

A SOC analyst is investigating a security incident. They use `transaction src_ip` to group firewall events. The search returns too many single-event transactions. The analyst suspects that some events should be grouped but are not because the IP address is used by different sessions. Which option can help ensure events are grouped only if they occur close in time?

A.maxspan=1h
B.maxevents=2
C.fields=src_ip
D.maxpause=5m
AnswerD

maxpause ensures events are only grouped if they occur within 5 minutes of each other, reducing false grouping.

Why this answer

The maxpause option sets the maximum time gap allowed between consecutive events in a transaction. Using a short maxpause helps ensure that events from different sessions are not incorrectly grouped.

26
MCQmedium

An analyst wants to group events from different sourcetypes (web_access and error_log) into a single transaction when they share the same 'request_id' field and occur within 1 minute. Which search correctly accomplishes this?

A.index=* | transaction request_id maxspan=1m
B.index=main | join type=inner request_id [search sourcetype=error_log]
C.sourcetype=web_access | transaction request_id maxspan=1m | append [search sourcetype=error_log | transaction request_id maxspan=1m]
D.(sourcetype=web_access OR sourcetype=error_log) | transaction request_id maxspan=1m
AnswerD

Correctly combines sourcetypes and groups by request_id within 1 minute.

Why this answer

Using OR to combine sourcetypes and then transaction with maxspan=1m groups events by request_id across both sourcetypes, with a total time limit of 1 minute.

27
MCQhard

Consider the following search: 'index=web | transaction sessionid maxspan=30m | where eventcount > 5 | stats avg(duration)'. An analyst notices that the search takes a long time and uses excessive memory. Which change would most likely improve performance?

A.Change maxspan to 1h to allow more events.
B.Use the stats command with values(sessionid) instead of transaction.
C.Remove the where clause and use stats after transaction.
D.Add a filter before transaction to reduce events.
AnswerB

Stats with values can group events without the overhead of transaction, but it does not maintain event order or duration. For calculating avg duration, transaction is needed. So this is incorrect.

Why this answer

Filtering events before the transaction command reduces the number of events processed, lowering memory and time requirements.

28
Multi-Selecthard

Which THREE statements about the `transaction` command are true?

Select 3 answers
A.Transaction can correlate events based on more than one field.
B.Transaction events can contain multivalue fields from the constituent events.
C.The maxpause option sets the maximum time span of the transaction.
D.When using startswith and endswith, the transaction event includes a duration field.
E.Transaction is the most efficient way to group events from large datasets.
AnswersA, B, D

Fields can be concatenated or multiple fields specified.

Why this answer

Transaction can group events by multiple fields, calculates duration for start/end events, and can include field values from all constituent events. However, it does not support use of `where` before transaction in the same search pipeline? Actually, it can be used after. Options: A: true, B: false (maxpause limits pause, not span), C: true, D: true, E: false (transaction is memory-intensive, not recommended for large datasets).

29
MCQmedium

A search includes `... | transaction 1,2,3` but returns unexpected results. What does the `1,2,3` represent in this context?

A.Field names to use as transaction keys
B.Three index names to correlate across indexes
C.Status codes for transactions (1=open, 2=pending, 3=closed)
D.maxspan=1s, maxpause=2s, maxevents=3
AnswerD

Positional arguments: maxspan, maxpause, maxevents in seconds.

Why this answer

Option B is correct because `transaction` without named fields uses `maxspan` as the first argument, `maxpause` as second, and `maxevents` as third, all in seconds. Option A is wrong because it's not index. Option C is wrong because it's not status.

Option D is wrong because it's not field list.

30
MCQmedium

Refer to the exhibit. The search is intended to count the number of clients who made more than 3 HTTP requests within any 30-minute window. However, the results are unexpectedly high. What is the most likely reason?

A.The sourcetype does not contain enough methods to satisfy the condition.
B.The stats command should use `dc(clientip)` instead of `count by clientip`.
C.The mvcount function counts the number of unique methods, not events.
D.The same clientip can appear in multiple transactions, causing overcounting.
AnswerD

Each 30-minute window creates a separate transaction; stats count counts each transaction, not unique clients.

Why this answer

The transaction command groups events into transactions based on fields like clientip. If the same clientip appears in multiple transactions (e.g., because the 30-minute window resets or overlaps), that clientip will be counted multiple times in the final stats count. This overcounting inflates the result, making it unexpectedly high.

Exam trap

Splunk often tests the misconception that transaction groups all events for a given field into a single transaction, when in reality it can create multiple transactions per field value if events exceed the maxspan or maxpause limits.

How to eliminate wrong answers

Option A is wrong because the sourcetype's methods are irrelevant to the overcounting issue; the problem is with how transactions group events, not the content of the sourcetype. Option B is wrong because using dc(clientip) would count distinct clientips, which would still be overcounted if the same clientip appears in multiple transactions; the issue is transaction grouping, not the aggregation function. Option C is wrong because mvcount counts the number of values in a multivalue field (like methods), not events; the search uses count by clientip, not mvcount, so this is a misdirection.

31
MCQeasy

An analyst wants to group events that start with a 'login' event and end with a 'logout' event, using the username field. Which transaction syntax is correct?

A.transaction username startswith=login endswith=logout
B.transaction username startswith="login" endswith="logout" maxspan=2h
C.transaction startswith="login" endswith="logout" by username
D.transaction username startswith="login" endswith="logout"
AnswerD

Correct: Proper syntax.

Why this answer

Option C is correct. The proper syntax is 'transaction username startswith="login" endswith="logout"'. Option A lacks quotes, Option B adds an unnecessary maxspan, and Option D incorrectly places the field.

32
Multi-Selectmedium

Which three conditions can cause a transaction to close prematurely? (Choose three.)

Select 3 answers
A.The maxevents value is reached.
B.The startswith event is encountered again.
C.The maxpause value is exceeded.
D.The maxspan value is reached.
E.The endswith event is detected.
AnswersA, C, D

Correct: maxevents closes the transaction when event count reaches limit.

Why this answer

Options A, B, and C are correct. maxspan, maxpause, and maxevents all cause transactions to close when their limits are reached, potentially before all related events are grouped. Option D (endswith) closes the transaction by design, not prematurely. Option E (startswith again) can start a new transaction but does not necessarily close the current one prematurely.

33
Multi-Selecthard

Which THREE conditions must be met for events to be grouped into the same transaction when using the 'transaction' command without any 'startswith' or 'endswith' options? (Choose three.)

Select 3 answers
A.Events must have the same value in the field specified by the 'by' clause.
B.The time difference between the first and last event must not exceed the maxspan value.
C.Events must be from the same sourcetype.
D.The time gap between consecutive events must not exceed the maxpause value.
E.Events must appear in chronological order with no missing timestamps.
AnswersA, B, D

The 'by' clause defines the grouping field.

Why this answer

Option A is correct because the 'by' clause in the 'transaction' command defines a field whose value must be identical across all events in a transaction. Without 'startswith' or 'endswith', the transaction command groups events solely based on the 'by' field, the 'maxspan' time window, and the 'maxpause' gap between consecutive events. This ensures that only events sharing the same field value are considered part of the same logical transaction.

Exam trap

The trap here is that candidates often assume events must share the same sourcetype (Option C) because they confuse the 'transaction' command with the 'stats' or 'eventstats' commands, which do not inherently require sourcetype matching, or they mistakenly think chronological order is enforced (Option E) when in fact the command handles ordering internally.

34
MCQeasy

An analyst wants to correlate events from two different sourcetypes: `auth` logs (login events) and `app` logs (application actions). Both logs share a common `session_id` field. The analyst needs to group all events from the same session, regardless of sourcetype, with a maximum time span of 1 hour. Which search correctly uses the `transaction` command?

A.index=main (sourcetype=auth OR sourcetype=app) | transaction by session_id maxspan=1h
B.index=main (sourcetype=auth OR sourcetype=app) | stats values(*) by session_id, _time
C.index=main (sourcetype=auth OR sourcetype=app) | transaction session_id maxspan=1h
D.index=main sourcetype=auth | append [search index=main sourcetype=app] | transaction session_id maxspan=1h
AnswerC

Correctly groups events by session_id with a 1-hour maxspan.

Why this answer

Option C is correct because the `transaction` command groups events that share a common `session_id` field, and the `maxspan=1h` parameter restricts the transaction to a maximum time span of 1 hour. The syntax `transaction session_id maxspan=1h` is valid and ensures all events from both sourcetypes (`auth` and `app`) are correlated into sessions based on the shared field, regardless of sourcetype.

Exam trap

Splunk often tests the subtle syntax difference between `transaction` and `transaction by` — candidates mistakenly add `by` as if it were a `stats` command, but `transaction` takes fields directly without a `by` clause.

How to eliminate wrong answers

Option A is wrong because `transaction by session_id` uses incorrect syntax; the `transaction` command does not accept a `by` clause — it directly takes the field name(s) as arguments. Option B is wrong because `stats values(*) by session_id, _time` does not create transactions; it merely aggregates field values without grouping events into sessions or enforcing a time span. Option D is wrong because using `append` is unnecessary and inefficient; the base search already retrieves both sourcetypes, and `append` does not improve correlation — it simply concatenates results, and the `transaction` command would still work but with redundant overhead.

35
MCQhard

A Splunk admin notices that a transaction search using the transaction command takes a long time and consumes high memory. The search correlates events by a high-cardinality field (IP address) across multiple indexers. Which optimization technique should be applied first?

A.Use the fields command to remove unnecessary fields before the transaction.
B.Increase maxevents to capture more events per transaction.
C.Use the keepevicted option to retain incomplete transactions.
D.Use the local parameter to force local processing.
AnswerA

Correct: reducing fields lowers memory per event.

Why this answer

Option C is correct because using the fields command to remove unnecessary fields before the transaction reduces memory and processing. Option A (local) limits to one indexer, reducing parallelism and potentially increasing time. Option B (increasing maxevents) would increase memory.

Option D (keepevicted) does not optimize performance.

36
Multi-Selectmedium

A Splunk search uses 'transaction' to correlate events. The transaction times out before all expected events are added. Which TWO options can be adjusted to allow more time for transaction completion? (Choose two.)

Select 2 answers
A.Increase 'maxopentxn'.
B.Set 'connected=false'.
C.Increase 'maxevents'.
D.Decrease 'maxspan'.
E.Increase 'maxtime' in the transaction command.
AnswersC, E

Correct: Allows more events per transaction.

Why this answer

Options A and C are correct. 'maxtime' controls the time limit for transaction processing, and 'maxevents' controls the maximum number of events per transaction; increasing these can help prevent timeout. Option B reduces time, D disables connected events, E affects open transactions.

37
MCQmedium

Which command is best for calculating a running total of sales per customer across events without creating a multivalued field?

A.streamstats
B.stats
C.transaction
D.eventstats
AnswerA

streamstats computes windowed functions like running total per group.

Why this answer

Option C is correct because streamstats can compute a running total per customer. Option A (eventstats) adds an aggregate but not per-row progression. Option B (stats) is for aggregation, not running.

Option D (transaction) groups events but does not compute running totals.

38
MCQmedium

A company wants to correlate events from multiple sources that share a common transaction ID. The events arrive in real time but with variable delays. Which transaction option ensures that a transaction closes after 2 minutes of inactivity?

A.endswith="end"
B.maxspan=2m
C.maxpause=2m
D.startswith="start"
AnswerC

maxpause closes transaction if no matching event arrives within 2 minutes.

Why this answer

Option B is correct because maxpause closes a transaction after a period of inactivity. Option A (maxspan) would close after total time. Option C (startswith) and Option D (endswith) define boundaries.

39
MCQmedium

Refer to the exhibit. The eval command combines two fields into one. What is a potential issue with this search?

A.The eval command may cause syntax errors.
B.Transaction does not allow eval before it.
C.The maxspan should be after the transaction command.
D.If an event has both sessionid and correlation_id, the coalesce may create a new value that does not match other events.
AnswerD

coalesce takes the first non-null; if both fields exist but differ, only one is used, potentially breaking grouping.

Why this answer

Option A is correct because transaction uses the sessionid field for grouping; if both source fields have different values for the same logical session, the transaction will not group them. Option B is false; coalesce works. Option C is false; maxspan is appropriate.

Option D is false; order doesn't matter.

40
MCQhard

A transaction search that uses a large maxspan and high-cardinality fields is failing due to memory limitations. Which approach can best reduce memory usage without changing the transaction logic?

A.Use the 'stats' command with values() instead of transaction.
B.Use the 'fields' command before transaction to retain only the correlation fields and _time.
C.Increase the maxpause value to reduce number of open transactions.
D.Set keepevicted=true to offload evicted events.
AnswerB

Correct: minimizes field count.

Why this answer

Option A is correct because using the fields command to retain only correlation fields and _time dramatically reduces memory per event. Option B (increasing maxpause) does not reduce memory. Option C (keepevicted) increases memory usage.

Option D (stats) changes the logic entirely.

41
MCQhard

A company has events from multiple data sources that share a common 'request_id'. They want to correlate events from different sources (e.g., web, app, database) into a single transaction per request. However, the timestamps across sources are not synchronized, causing some events to appear out of order. Which approach is best to ensure correct grouping?

A.Use `eventstats count by request_id` to correlate counts
B.Use `sort _time | transaction request_id maxspan=10m`
C.Use `transaction request_id` and rely on Splunk to automatically reorder
D.Use `transaction request_id maxspan=1m` and ignore out-of-order events
AnswerB

Sorting by time ensures events are processed in chronological order, and a 10-minute maxspan accommodates timestamp skew.

Why this answer

Setting a larger maxspan and using `sort _time` before transaction can help reorder events, but the most reliable method is to use `transaction request_id` with a generous maxspan and, if needed, use `sort 0 _time` before transaction to ensure time order.

42
MCQmedium

Refer to the exhibit. What is the purpose of this configuration?

A.It creates a search-time field extraction for clientip and userid.
B.It defines a transaction type that can be used in search with `transaction mytransaction` to group events by clientip and userid with given time parameters.
C.It configures the transaction command to run automatically on all data.
D.It defines a transaction type that can be used in search with `transaction mytransaction` to group events by clientip and userid with given time parameters.
AnswerB

Correct: this defines a named transaction in transaction.conf.

Why this answer

This stanza defines a named transaction type in transaction.conf. It can be invoked in a search as `transaction mytransaction` to group events by clientip and userid with the specified time parameters.

43
MCQhard

A telecom company monitors call detail records (CDR). Each call has a unique call_id, and events are generated at each network node (setup, ringing, answer, hangup) with timestamps. The events are from different sourcetypes (cdr_setup, cdr_ring, etc.) and are indexed in near real-time. The analyst needs to correlate all events for the same call_id to calculate call duration. The current search is: `index=telecom sourcetype=cdr_* | transaction call_id maxspan=2h`. This search works but sometimes produces huge transactions (100+ events) due to noisy data, causing memory errors. The analyst has identified that each call should have exactly 4 events: setup, ringing, answer, hangup. Which approach would best correlation with minimal resource usage?

A.Use `transaction call_id maxevents=4 maxspan=2h` to limit to exactly 4 events.
B.Use `transaction call_id maxspan=2h` and then filter using `where mvcount(_raw) = 4`.
C.Use `eventstats count by call_id` and then filter.
D.Use `search` with `call_id=*` and then use `streamstats` to calculate duration per call.
AnswerA

Correct: maxevents=4 ensures only the expected events are grouped, reducing memory and processing time.

Why this answer

Option A is correct because setting maxevents=4 limits each transaction to exactly the expected number of events, preventing memory overload from noise data. Option B (filter after transaction) still processes large transactions before filtering. Option C (eventstats) does not preserve time ordering for duration calculation.

Option D (streamstats) does not group all events per call_id correctly.

44
MCQmedium

Refer to the exhibit. A security analyst notices that some transactions have a duration greater than 600 seconds even though maxpause is set to 5 minutes (300 seconds). What is the most likely reason?

A.The transaction command is including events that are more than 5 minutes apart because the maxpause is ignored when maxspan is set.
B.The eventcount field is inflated, causing duration to be calculated incorrectly.
C.The duration field represents milliseconds, so 600 seconds is actually 0.6 seconds.
D.The maxspan setting of 30 minutes allows the total transaction duration to reach up to 1800 seconds.
AnswerD

Maxspan limits the total elapsed time from first to last event; 600 seconds is within 30 minutes.

Why this answer

Option D is correct because the `maxspan` parameter in the transaction command sets an upper limit on the total duration of the transaction from the first to the last event, regardless of the `maxpause` setting. With `maxspan=30m` (1800 seconds), a transaction can have a total duration up to 1800 seconds, even if individual gaps between events exceed `maxpause=5m` (300 seconds). The `maxpause` only limits the idle time between consecutive events, not the overall span, so transactions with gaps larger than 300 seconds but within the 1800-second span are still valid.

Exam trap

Splunk often tests the distinction between `maxpause` and `maxspan`, where candidates mistakenly think `maxpause` alone controls the total transaction duration, ignoring that `maxspan` can extend the overall time window.

How to eliminate wrong answers

Option A is wrong because `maxpause` is not ignored when `maxspan` is set; both parameters work together, with `maxpause` limiting gaps between events and `maxspan` limiting the total transaction duration. Option B is wrong because the `eventcount` field does not affect the calculation of `duration`; `duration` is derived from the timestamps of the first and last events in the transaction, not from event count. Option C is wrong because the `duration` field in the transaction command output is in seconds, not milliseconds; 600 seconds is indeed 600 seconds, not 0.6 seconds.

45
Drag & Dropmedium

Order the steps to create a workflow action in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Workflow actions are created by specifying a label, action type, and URI with field references.

46
MCQeasy

A security analyst needs to correlate login events with subsequent logout events for the same user session. Which command should be used to group these events together?

A.Use the transaction command with startswith='login' and endswith='logout'.
B.Use the sort command by user and time to manually identify sessions.
C.Use the stats command with values() and earliest().
D.Use the eval command to create a session ID based on time differences.
AnswerA

transaction is designed exactly for this purpose: it groups events that share common fields and satisfy start/end conditions.

Why this answer

The `transaction` command is specifically designed to group related events that share a common field (e.g., user or session ID) and occur within a defined time window. By using `startswith='login'` and `endswith='logout'`, it correctly identifies the beginning and end of a user session, grouping all intermediate events into a single transaction. This is the most direct and efficient method for correlating login and logout events in Splunk.

Exam trap

Splunk often tests the misconception that `stats` or `eval` can replace `transaction` for sessionization, but the trap is that `transaction` is the only command that natively groups events based on a start and end condition without requiring manual time-window calculations or complex field manipulation.

How to eliminate wrong answers

Option B is wrong because the `sort` command only reorders events and does not group them into sessions; manually identifying sessions from sorted data is impractical and error-prone. Option C is wrong because `stats` with `values()` and `earliest()` can aggregate fields but cannot define a transaction boundary based on event types (login/logout) or group intermediate events into a single session. Option D is wrong because `eval` can create a calculated field like a session ID based on time differences, but it lacks the built-in logic to automatically detect start and end events and group all events in between; this would require complex, custom logic that `transaction` handles natively.

47
MCQeasy

A financial services company uses Splunk to monitor transactions between internal systems. Each transaction consists of a request event and a response event with identical fields: transaction_id, timestamp, component, status. The request event has component='app' and status='request'; the response event has component='db' and status='success' or 'failure'. The analyst runs the following search to correlate them: `index=main (component=app OR component=db) | transaction transaction_id maxspan=30s`. However, they notice that the search takes too long and often times out when there are many transactions. What change would most effectively reduce search time while still correctly grouping request-response pairs?

A.Use `transaction transaction_id maxspan=30s` with a time range picker to limit the search to a smaller time window.
B.Use `stats values(*) as * by transaction_id` and then filter.
C.Use `rename component to type` and then use `transaction`.
D.Use `transaction transaction_id maxevents=2 maxspan=30s`.
AnswerD

Correct: maxevents=2 ensures each transaction contains only the expected two events, reducing memory and processing.

Why this answer

Option B is correct because setting maxevents=2 limits each transaction to exactly two events (request and response), preventing large groupings that cause memory issues and timeouts. Option A (stats values) does not maintain event order and may not clearly separate request/response. Option C (smaller time range) is already implied by the maxspan.

Option D (rename) does not address the performance issue.

48
Multi-Selectmedium

Which TWO statements about the 'transaction' command are correct? (Choose two.)

Select 2 answers
A.It requires all events to be from the same source.
B.It sums numeric field values across events in the transaction.
C.It can use the 'by' clause to group events based on common field values.
D.The 'maxevents' option limits the total number of transactions output.
E.It can combine multiple events into a single event.
AnswersC, E

The 'by' clause is used to specify the field(s) that define a transaction group.

Why this answer

Option C is correct because the 'transaction' command can use a 'by' clause to group events that share common field values into a single transaction. This allows you to correlate events from different sources or sourcetypes as long as they have matching field values, enabling flexible event correlation.

Exam trap

Splunk often tests the misconception that 'transaction' aggregates numeric fields (like sum or average) when in reality it only concatenates events, and that 'maxevents' controls the total number of transactions rather than the maximum events per transaction.

49
Multi-Selectmedium

Which TWO statements are true about the `transaction` command in Splunk?

Select 2 answers
A.It can group events based on one or more common field values.
B.It automatically calculates the duration between the first and last event.
C.It can only correlate events from the same sourcetype.
D.It supports maxspan and maxpause options to control time boundaries.
E.It automatically sorts events in chronological order within each transaction.
AnswersA, D

Transaction uses a by clause to group on field values.

Why this answer

Option A is correct because the `transaction` command groups events that share one or more common field values, such as `session_id` or `user_id`, into a single transaction. This allows you to correlate related events across different sources or sourcetypes based on matching field values.

Exam trap

The trap here is that candidates often assume the `transaction` command automatically calculates duration or sorts events, but it only groups events based on fields and time boundaries, leaving duration calculation and sorting as separate steps.

50
MCQhard

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

A.Decrease maxspan to 30 seconds
B.Remove maxpause and use only maxspan
C.Group by destination IP instead of source IP
D.Increase maxpause to 2 minutes
AnswerD

Longer pause tolerance captures the scans despite latency, while still closing transactions after gaps.

Why this answer

Increasing maxpause to 2 minutes allows the transaction to tolerate longer gaps between events caused by network latency, ensuring that valid port scans are still captured. This change directly addresses the issue without altering the grouping logic or removing the timeout guard, which would otherwise risk false positives or incorrect grouping.

Exam trap

The trap here is that candidates may think decreasing `maxpause` or removing it entirely will reduce false positives, but in reality, that would increase missed detections (false negatives) without addressing the root cause of latency gaps.

How to eliminate wrong answers

Option A is wrong because decreasing maxspan to 30 seconds would tighten the overall time window, making it even harder to capture scans with latency-induced gaps, thus missing more valid scans. Option B is wrong because removing maxpause and using only maxspan would eliminate the pause tolerance entirely, causing the transaction to close as soon as any gap occurs, which would miss scans with intermittent delays. Option C is wrong because grouping by destination IP instead of source IP changes the correlation logic entirely, which would not address the gap issue and could introduce false positives by correlating unrelated events from different sources to the same destination.

51
MCQeasy

A user wants to see a single consolidated event for each user session that includes the start time, end time, and total duration. The session events have a 'action' field with values 'start' and 'end' and a common 'user_id'. Which transaction command would achieve this?

A.`transaction user_id startswith=action=start endswith=action=end`
B.`transaction startswith=action=start endswith=action=end`
C.`transaction user_id`
D.`stats values(action) by user_id`
AnswerA

Correctly defines session boundaries using action values.

Why this answer

Using startswith and endswith defines the boundary events, and transaction automatically calculates duration when there are start and end events.

52
MCQeasy

An analyst wants to group events by 'session_id' but only if the events occur within 5 minutes of each other, and there must be at least 2 events per transaction. Which transaction parameters achieve this?

A.transaction session_id maxspan=300
B.transaction session_id maxspan=300 maxevents=2
C.transaction session_id maxpause=300 minevents=2
D.transaction session_id maxspan=300 minpause=300
AnswerC

Correct: maxpause ensures events are close, minevents ensures at least 2.

Why this answer

Option C is correct because maxpause=300 ensures events are within 5 minutes of each other, and minevents=2 ensures at least 2 events. Option A (maxspan=300) only limits total time. Option B (maxevents=2) limits event count but not grouping window.

Option D (minpause) is not a valid parameter.

53
Multi-Selectmedium

A security analyst is investigating a series of failed login attempts followed by successful logins from the same IP addresses within short time windows. They want to correlate these events into sessions representing potential brute-force attacks. Which TWO statements accurately describe best practices for using the transaction command in this scenario?

Select 2 answers
A.Transaction command is optimized for correlating events over very long time ranges (over 24 hours).
B.Transaction command requires at least one field to group events into sessions.
C.Transaction command can define transaction boundaries using startswith and endswith conditions.
D.Transaction command can only be used with events that have identical timestamps.
E.Transaction command automatically deduplicates events within a transaction.
AnswersB, C

Correct: A field like src_ip is needed to group related events.

Why this answer

Option A is correct because transaction requires at least one field (like src_ip) to group events into sessions. Option D is correct because startswith and endswith allow defining the boundaries of a transaction, for example, using startswith for failed login and endswith for successful login. Option B is incorrect because transaction events do not need identical timestamps; they can span over time.

Option C is incorrect because transaction does not automatically deduplicate events; dedup command would be needed. Option E is incorrect because transaction is not optimized for very long time ranges and can be resource-intensive.

54
MCQhard

A company uses `transaction` to group events by `order_id`. Some orders have many events (1000+). Which option should be added to prevent a single transaction from consuming too many resources?

A.keepevicted=true
B.maxspan=1h
C.maxevents=500
D.maxpause=5m
AnswerC

maxevents caps the number of events per transaction, preventing runaway resource usage.

Why this answer

Option D is correct because `maxevents` limits the number of events per transaction, preventing a single large order from consuming resources. Option A (maxspan) limits time, not event count. Option B (maxpause) controls inactivity.

Option C (keepevicted) retains partials but doesn't prevent large transactions.

55
MCQeasy

A security team needs to group all login events from the same user session. Events include 'login' and 'logout' with a common session_id field. Which command should be used to combine these events into a single event per session?

A.join session_id
B.stats by session_id
C.transaction session_id
D.append session_id
AnswerC

Correctly groups events by session_id into a single transaction event.

Why this answer

The `transaction` command is designed to group related events based on common fields and time constraints, making it ideal for combining login and logout events by session_id.

56
Multi-Selectmedium

Which TWO fields are automatically created by the transaction command? (Select exactly 2 correct answers.)

Select 2 answers
A.total_events
B._endtime
C._starttime
D._time
E.maxpause
AnswersB, C

Correct: transaction adds _endtime.

Why this answer

The transaction command adds _starttime and _endtime fields to each event in the transaction. It also adds duration and eventcount, but those are not listed as options. _time and maxpause are not created by transaction.

57
Multi-Selecthard

Which TWO conditions can cause a transaction to be evicted?

Select 2 answers
A.Maximum pause between events exceeded
B.Timestamp format mismatch
C.Maximum number of events per transaction reached
D.Transaction has too many fields
E.Search is canceled by user
AnswersA, C

If maxpause is reached, the transaction is closed and evicted from open set.

Why this answer

Correct options: B (maxpause exceeded) and D (maxevents reached). Option A (too many fields) does not cause eviction. Option E (timeformat mismatch) does not.

Option C (search cancellation) would stop search, not evict transaction.

58
MCQmedium

A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads: `index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000` However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?

A.The `maxspan=60s` is too short; some page loads may take longer than 60 seconds, causing incomplete transactions.
B.The `transaction` command is grouping by `transaction_id`, but the events might have different transaction_id values for the same page load.
C.The field name is misspelled; it should be `response_time` not `response_time_ms`.
D.The `eval total_time = sum(response_time_ms)` is incorrect because after `transaction`, `response_time_ms` is a multivalue field, and `sum()` does not automatically calculate the sum of multivalue fields.
AnswerD

`sum()` is a statistical function; you need `eval total_time = mvsum(response_time_ms)` or use `stats sum` in a different approach.

Why this answer

Option D is correct because after the `transaction` command, `response_time_ms` becomes a multivalue field containing all the individual response times from the events in the transaction. The `sum()` function in `eval` does not automatically aggregate multivalue fields; it requires explicit use of the `mvsum()` function or a `stats sum()` approach. Without this, `total_time` is not calculated correctly, so the `where` clause never matches, returning no results despite slow pages existing.

Exam trap

The trap here is that candidates assume `sum()` in `eval` automatically aggregates multivalue fields, but Splunk's `eval` does not support aggregation functions on multivalue fields without explicit `mv` functions.

How to eliminate wrong answers

Option A is wrong because the search is designed to find slow pages with total time > 5000 ms (5 seconds), and the `maxspan=60s` is more than sufficient to capture transactions that take over 10 seconds; the issue is not the maxspan duration. Option B is wrong because the team verified that logs contain `transaction_id` values and that pages take over 10 seconds, implying the same `transaction_id` is used per page load; if IDs differed, the `transaction` command would simply create separate transactions, not cause zero results. Option C is wrong because the field name `response_time_ms` is explicitly stated in the question as a field in the logs, and there is no evidence of a misspelling; the problem lies in how the field is processed after `transaction`.

59
MCQeasy

A Splunk admin wants to group events from the same user session in web logs. Which transaction option should be used to ensure the transaction ends after 30 minutes of inactivity?

A.maxpause=30m
B.keepevicted=true
C.maxspan=30m
D.maxevents=100
AnswerA

maxpause ends transaction after 30 minutes of inactivity between events.

Why this answer

Option B is correct because maxpause ends the transaction if the time between events exceeds the specified duration. Option A (maxspan) limits total duration, not inactivity. Option C (maxevents) limits the number of events.

Option D (keepevicted) retains partial transactions that were evicted.

60
MCQmedium

An analyst wants to find transactions where the first event was a 'login' and the last event was a 'logout'. Which post-transaction filter is correct?

A.where action[0]="login" AND action[-1]="logout"
B.where first(action)="login" AND last(action)="logout"
C.where action="login" AND action="logout"
D.where mvindex(action,0)="login" AND mvindex(action,-1)="logout"
AnswerD

Correct: mvindex accesses elements by position.

Why this answer

Option A is correct because mvindex accesses the first (index=0) and last (index=-1) values of a multivalue field. Option B uses invalid syntax. Option C uses nonexistent functions.

Option D would match if both values appear anywhere, not necessarily first/last.

61
MCQhard

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

A.Use the 'kvform' command instead of transaction.
B.Use a subsearch to first filter events and then apply transaction on the smaller set.
C.Add more fields to the transaction to make it more specific.
D.Increase the maxspan value to 2 hours to reduce the number of transactions.
AnswerB

A subsearch can pre-filter or aggregate events, reducing the input size for transaction and thus memory.

Why this answer

Option B is correct because using a subsearch first reduces the dataset size before the 'transaction' command processes it, directly addressing the memory issue. The 'transaction' command groups events into memory until they are finalized, so a smaller input set means fewer events held simultaneously, lowering memory consumption while still allowing the 1-hour maxspan correlation per user_id.

Exam trap

The trap here is that candidates often assume increasing maxspan or adding fields will reduce memory usage, but these actions actually increase the memory footprint or do not address the root cause of excessive data volume.

How to eliminate wrong answers

Option A is wrong because 'kvform' extracts key-value pairs from event data and does not perform event correlation or grouping, so it cannot replace the 'transaction' command's functionality. Option C is wrong because adding more fields to the 'transaction' command increases the specificity of grouping but does not reduce memory usage; in fact, it may increase memory overhead by requiring more comparisons. Option D is wrong because increasing maxspan to 2 hours would allow longer time windows, potentially increasing the number of events grouped per transaction and worsening memory consumption, not reducing it.

62
Multi-Selectmedium

A Splunk administrator is troubleshooting a search that uses the `transaction` command. The search is taking too long to complete and returning incomplete results. Which TWO changes are most likely to improve performance and accuracy of transaction searches? (Choose TWO.)

Select 2 answers
A.Remove the `maxspan` parameter to allow transactions of any duration.
B.Use `mvcombine` to combine multivalued fields before the transaction.
C.Use `fields` before `transaction` to include only necessary fields.
D.Increase the `maxevents` value to allow more events per transaction.
E.Set an appropriate `maxspan` value based on the expected duration of correlated events.
AnswersC, E

Reduces data volume processed by transaction.

Why this answer

Option C is correct because using the `fields` command before `transaction` reduces the amount of data Splunk must process by retaining only the fields necessary for correlation and output. This minimizes memory and CPU overhead, directly improving search performance and reducing the risk of incomplete results due to resource limits.

Exam trap

Splunk often tests the misconception that increasing limits (like `maxevents` or removing `maxspan`) will improve results, when in fact it exacerbates resource exhaustion and incomplete data.

63
MCQmedium

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

A.startswith=login endswith=logout
B.mvlist=session_id
C.maxspan=30m
D.maxpause=1800
AnswerD

maxpause=1800 seconds (30 minutes) closes the transaction after 30 minutes of inactivity.

Why this answer

Option D (maxpause=1800) is correct because it sets a maximum inactivity period of 1800 seconds (30 minutes) between events in a transaction. When no new events with the same session_id arrive within that window, the transaction is considered complete. This directly addresses the requirement to end a session after 30 minutes of inactivity, regardless of the total duration of the session.

Exam trap

The trap here is confusing maxspan (total duration limit) with maxpause (inactivity timeout), leading candidates to choose maxspan=30m when the requirement explicitly calls for an inactivity-based end condition.

How to eliminate wrong answers

Option A is wrong because startswith=login endswith=logout defines explicit start and end events for the transaction, but the requirement is to end based on inactivity, not on a specific logout event. Option B is wrong because mvlist=session_id is not a valid transaction command option; it is used with the stats or eventstats command to create a multivalue field, not to control transaction boundaries. Option C is wrong because maxspan=30m sets a maximum total time span for the entire transaction from first to last event, not a pause or inactivity limit; if events span more than 30 minutes, the transaction is forcibly split, which does not match the requirement of ending after 30 minutes of inactivity.

64
MCQhard

A security team notices that using `transaction` on a large dataset of firewall logs causes memory issues. Which alternative approach would most efficiently correlate events while reducing resource consumption?

A.Use `concurrency` command to group events
B.Increase `maxtransize` and `maxopentxn` in limits.conf
C.Use `append` with subsearch to join events
D.Use `stats` by session_id list(src_ip), list(dest_ip) with `bin` time
AnswerD

stats consumes less memory than transaction for grouping events.

Why this answer

Option A is correct because `stats` with `list()` and `values()` is more memory-efficient than `transaction` for correlating events. Option B (increasing limits) is a workaround but not efficient. Option C (concurrency) is not applicable.

Option D (`append`) is less efficient.

65
Multi-Selecthard

A security analyst is writing a search to detect lateral movement across servers by correlating authentication events from multiple domain controllers. Each event has a `user`, `src_ip`, and `dest_ip`. The analyst wants to group events where the same user authenticates from at least 3 different source IPs within 10 minutes. Which THREE components must be part of the search to achieve this? (Choose THREE.)

Select 3 answers
A.Use `transaction user` to group events by user.
B.After the transaction, use `where mvcount(src_ip)>=3` to filter transactions with at least 3 distinct source IPs.
C.Set `maxspan=10m` to limit the grouping window to 10 minutes.
D.Use `maxevents=3` to ensure at least three events per transaction.
E.Use `dedup user` before the transaction to reduce events.
AnswersA, B, C

Groups events by user for correlation.

Why this answer

Option A is correct because the `transaction` command groups events that share a common field value (in this case, `user`) into a single transaction. This is essential for correlating authentication events from multiple domain controllers where the same user appears, allowing subsequent analysis of the source IPs within each group.

Exam trap

The trap here is that candidates may confuse `maxevents` with the requirement for distinct source IPs, or think that `dedup` is needed to reduce data volume, when in fact it would break the correlation by removing necessary events.

66
MCQeasy

A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?

A.Increase the maxspan value
B.Remove the maxspan constraint
C.Set keepevicted=false
D.Use a different field with lower cardinality for grouping
AnswerD

Lower cardinality means fewer transaction groups, reducing memory and computation.

Why this answer

Option D is correct because the transaction command groups events based on field values, and high cardinality fields create many unique groups, each requiring memory for state tracking. Using a lower-cardinality field reduces the number of concurrent groups, directly lowering memory consumption and processing time. This addresses the root cause rather than adjusting timeouts or eviction policies.

Exam trap

The trap here is that candidates often focus on adjusting time-based parameters (maxspan, maxpause) or output options (keepevicted) instead of recognizing that the fundamental issue is the cardinality of the grouping field, which directly drives memory and state management overhead.

How to eliminate wrong answers

Option A is wrong because increasing maxspan allows the transaction to span a longer time window, which can actually increase memory usage by keeping events in memory longer, not reduce it. Option B is wrong because removing the maxspan constraint removes any time boundary, causing the transaction to wait indefinitely for events, which can dramatically increase memory usage and completion time. Option C is wrong because keepevicted=false controls whether evicted (incomplete) transactions are returned, but it does not reduce the memory consumed by the active transaction groups themselves; it only affects output behavior.

67
MCQmedium

An analyst writes `transaction client_ip` to group events from a firewall. The resulting transactions show many events with duration=0. What is the most likely cause?

A.The client_ip field contains duplicates
B.The transaction option maxspan is set too high
C.The events are not time-stamped properly
D.There is only one event per client_ip in the time range
AnswerD

If only one event exists, the transaction will have duration 0. To avoid this, use startswith/endswith or adjust maxspan.

Why this answer

A duration of 0 often occurs when there is only one event in the transaction. This can happen if the events do not meet the criteria for starting or ending a transaction, or if the maxpause is too short.

68
MCQhard

A Splunk analyst runs the above search. The results show that some transactions have a duration of 0 seconds. What is the most likely cause?

A.The transaction command failed to group events properly and returned only the login event.
B.The transaction command is processing events out of order, causing login and logout timestamps to be the same.
C.The maxevents=5 limitation causes the transaction to close early, but the logged duration is still calculated correctly from the first event timestamp.
D.Some user sessions are missing a logout event, resulting in a transaction that consists of only a login event, so _time_delta is undefined or zero.
AnswerD

Without a logout event, the transaction may contain only one event, and duration is not calculated, defaulting to 0.

Why this answer

Option D is correct because when a transaction lacks an end event (like a logout), the transaction command closes based on other limits (e.g., maxspan, maxpause, or maxevents) and contains only the start event. In such cases, the duration (_time_delta) is calculated from the first event's timestamp to the last event's timestamp; with only one event, the difference is zero or undefined, resulting in a 0-second duration.

Exam trap

Splunk often tests the misconception that a 0-second duration is caused by a grouping or ordering error, when in fact it is a direct result of incomplete transactions (missing end events) within the transaction command's logic.

How to eliminate wrong answers

Option A is wrong because the transaction command groups events correctly based on the fields specified (e.g., user or session ID); a 0-second duration is not caused by a failure to group but by incomplete transactions. Option B is wrong because the transaction command processes events in time order (as indexed) and does not arbitrarily reorder timestamps; if login and logout timestamps were the same, it would indicate simultaneous events, not a processing order issue. Option C is wrong because maxevents=5 limits the number of events in a transaction but does not cause early closure that results in a 0-second duration; the duration is calculated from the first to the last event in the transaction, so if multiple events exist, the duration would be non-zero.

69
Multi-Selecthard

Which THREE of the following are valid ways to correlate events in Splunk? (Select exactly 3 correct answers.)

Select 3 answers
A.Using the subsearch command.
B.Using the join command with a common field.
C.Using the append command.
D.Using the stats command with values().
E.Using the transaction command with a common field.
AnswersB, D, E

Correct: join correlates events from two datasets.

Why this answer

Transaction groups events based on common fields. Join can correlate events from two searches. Stats with values can also correlate by grouping events into a single result.

Append and subsearch do not perform correlation.

70
MCQmedium

A financial company wants to group all events related to a single trading session. The session ID appears in all events. Which is the most efficient way to correlate these events without using transaction?

A.Use sort to order events by timestamp.
B.Use stats with values() on the event fields.
C.Use join to combine events on sessionId.
D.Use append with a subsearch.
AnswerB

stats by sessionId with values(*) groups all events by session.

Why this answer

Option B is correct because using stats with values() can list all events per session ID efficiently. Option A (append) merges results but doesn't group. Option C (join) is for lookup.

Option D (sort) reorders but doesn't group.

71
MCQhard

A Splunk admin is troubleshooting a transaction that groups firewall allow and deny events by session ID. The transaction should end when a deny event occurs for that session. Which transaction option should be used to define the end condition?

A.endswith="action=allow"
B.startswith="action=deny"
C.endswith="action=deny"
D.maxevents=2
AnswerC

Correct: This ends the transaction when a deny event is encountered.

Why this answer

Option C is correct because 'endswith='action=deny'' specifies the event that terminates the transaction. Option A starts with deny, Option B ends with allow, and Option D limits the number of events but does not define an end condition.

72
Multi-Selecteasy

Which TWO options can be used with the `transaction` command to define the beginning and end of a transaction?

Select 2 answers
A.closed_txn
B.maxpause
C.endswith
D.startswith
E.maxspan
AnswersC, D

Defines the end event.

Why this answer

startswith and endswith define boundary events. maxspan and maxpause are constraints.

73
MCQeasy

An analyst wants to correlate events from different sourcetypes (e.g., authentication logs and VPN logs) that share a common user field. The goal is to create a single event per user session containing all fields from both sourcetypes. Which command is best suited for this?

A.append
B.union
C.transaction
D.join
AnswerC

Correct: Groups events by common field across sourcetypes.

Why this answer

Option D is correct. The transaction command groups events based on a common field (user) and can include events from multiple sourcetypes. Options A (append) adds rows, B (join) requires a field and may not preserve sessions, C (union) combines schemas but does not correlate.

74
Matchingmedium

Match each Splunk search mode to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimizes for speed, may skip event data

Balances speed and completeness (default)

Returns all available fields for each event

Searches data as it is indexed

Searches data already indexed

Why these pairings

Search modes control how Splunk processes and returns results.

75
MCQeasy

A Splunk search uses 'transaction clientip maxpause=5m'. What does the maxpause setting control?

A.The maximum number of transactions allowed.
B.The maximum number of events in the transaction.
C.The maximum total time span of the transaction.
D.The maximum time gap between events in the transaction.
AnswerD

Correct: maxpause defines the allowed gap between consecutive events.

Why this answer

maxpause sets the maximum inactivity timeout: if no new event for the same clientip arrives within 5 minutes, the transaction is closed.

Page 1 of 2 · 125 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Transactions Event Correlation questions.