A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?
Trap 1: Define the root event as an event type with calculated fields for…
Calculated fields in root events increase search-time overhead, reducing performance.
Trap 2: Define the root event as a transaction type to include duration…
Transaction types are less flexible for aggregation and may not support all desired calculations.
Trap 3: Create separate data models for counts and durations.
Multiple data models increase maintenance and are unnecessary; one model can support both.
- A
Define root events as event types and add child transactions for duration calculations.
This approach allows efficient counts from root events and duration calculations from child transactions, following best practices.
- B
Define the root event as an event type with calculated fields for duration.
Why wrong: Calculated fields in root events increase search-time overhead, reducing performance.
- C
Define the root event as a transaction type to include duration inherently.
Why wrong: Transaction types are less flexible for aggregation and may not support all desired calculations.
- D
Create separate data models for counts and durations.
Why wrong: Multiple data models increase maintenance and are unnecessary; one model can support both.