SPLK-1003 · topic practice

Transactions and Event Correlation practice questions

Practise Splunk Core Certified Power User SPLK-1003 Transactions and Event Correlation practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Transactions and Event Correlation

What the exam tests

What to know about Transactions and Event Correlation

Transactions and Event Correlation questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Transactions and Event Correlation exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Transactions and Event Correlation questions

20 questions · select your answer, then reveal the explanation

A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

A Splunk user wants to group web server logs into transactions representing a single user visit, where a visit starts with a 'GET' request and ends with a 'POST' request. Which transaction command syntax correctly implements this logic?

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

A Splunk user needs to correlate events from different sourcetypes (web_access, auth_log, app_log) that share a common 'transaction_id' field. Each transaction_id may appear many times across sourcetypes. The user wants to group all events with the same transaction_id into one transaction, without any time constraints. Which transaction command is most appropriate?

Which TWO statements about the 'transaction' command are correct? (Choose two.)

Which THREE conditions must be met for events to be grouped into the same transaction when using the 'transaction' command without any 'startswith' or 'endswith' options? (Choose three.)

Refer to the exhibit. A Splunk user runs the search shown. The search returns results, but the user notices that some clientip values appear multiple times in the stats output, even though they should have been grouped into a single transaction. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

```
index=main sourcetype=access_combined
| transaction clientip maxspan=30m maxevents=5
| stats count by clientip
```

Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=security sourcetype=linux_secure
| eval session_id=if(like(_raw,"Accepted publickey"), _raw, null())
| transaction session_id maxpause=5m
| table _time, session_id, duration
```

An analyst needs to correlate events from a web server log and an application log to identify failed login attempts followed within 5 seconds by an error event. The events share a common session ID field. Which approach should the analyst use?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?

A Splunk administrator notices that a transaction command is consuming excessive memory and taking too long to complete. The transaction is defined on a field with high cardinality. Which of the following would most effectively reduce memory usage and improve performance?

A Splunk user wants to correlate events from different sourcetypes (web_access, app_log) that belong to the same user session identified by session_id. The events should be grouped only if they occur within 30 minutes of each other, and each transaction should contain at least one event from each sourcetype. Which SPL construct should they use?

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

Which TWO statements are true about the `transaction` command in Splunk?

Which THREE of the following are valid use cases for the `transaction` command in Splunk?

Refer to the exhibit. The search is intended to count the number of clients who made more than 3 HTTP requests within any 30-minute window. However, the results are unexpectedly high. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
sourcetype=access_combined | transaction clientip maxspan=30m | where mvcount(method) > 3 | stats count by clientip
```

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

Exhibit

Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
    like(_raw,"%Failed password%"),"failed",
    like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```

A security team needs to correlate failed login attempts across multiple web servers to identify brute force attacks. Each server logs authentication failures with timestamps and source IPs. The team wants to create a transaction that groups failed attempts within 5 minutes from the same IP, but only if there are at least 3 failures. Which approach correctly implements this requirement?

Question 20hardmultiple choice
Read the full VPN explanation →

A Splunk administrator notices that a `transaction` command used for correlating VPN login and logout events is consuming excessive memory and causing search timeouts. The transaction groups events by `user` with `maxspan=12h` and `maxpause=30m`. The VPN logs contain millions of events per day. Which design change would most effectively reduce resource consumption while maintaining the ability to correlate logins and logouts within the same session?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Transactions and Event Correlation sessions

Start a Transactions and Event Correlation only practice session

Every question in these sessions is drawn from the Transactions and Event Correlation domain — nothing else.

Related practice questions

Related SPLK-1003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SPLK-1003 exam test about Transactions and Event Correlation?
Transactions and Event Correlation questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Transactions and Event Correlation questions in a focused session?
Yes — the session launcher on this page draws every question from the Transactions and Event Correlation domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SPLK-1003 topics?
Use the topic links above to move to related areas, or go back to the SPLK-1003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SPLK-1003 exam covers. They are not copied from any real exam or dump site.