Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Splunk Power User > Correlating Events > Flashcards

Correlating Events Flashcards

1
Q

What does the |transaction command do?

A

The |transaction command allows you to group events together based on one or more fields

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What fields does the |transaction command add to events?

A
  • duration
  • eventcount
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the syntax for the |transaction command?

A

|transaction (<field>|<fields>) [options]</fields></field>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What options are available for the |transaction command?

A
  • maxspan
  • maxpause
  • maxevents
  • startswith
  • endswith
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If a transaction has more than five events, what is present?

A

A show all # lines option showing the rest of the events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False: Fields within each transaction can have multiple values

A

True

Transactions are pulling multiple events, aka multivalued fields.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the maxspan option do?

A

Controls the maximum total time between the earliest and latest events. Defaults to -1 (no max time limit)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does the maxpause option do?

A

Controls the maximum total time between events. Defaults to -1 (no max time pause limit)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False: you can pipe to transforming commands after the transaction command

A

True.

You can use stats and transforming commands with transactions to create reports and visualizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or False: The transaction command can contain the eval function.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Transactions are assigned either a 0 or 1 in the closed_txn field. What do these indicate?

A

1 - Conditions are met and the transaction is complete.

0 - Conditions are not met and the transaction is incomplete.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the keepevicted option of the |transaction command do?

A

keepevicted takes a value of true or false, and is set to 0 by default, evicting all complete transactions. Setting keepevicted to a value of 1, will show incomplete transactions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Since the transaction command is resource intensive, you should ______.

A

use the stats command whenever possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is the transaction command a better choice over the stats command?

A

When events need to be seen correlated together and displayed in the raw event view.

When you need to define event grouping on start/end values or segment on time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is stats different from transactions?

A
  • Faster and more efficient
  • Can perform calculations
  • Can group events based on a single field value (e.g. “by src_ip”)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens when the transaction command reaches 1,000 events per transaction?

A

A new transaction grouping will be created.

17
Q

Does stats have a limit?

A

No.

Splunk Power User (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions