Correlating Events Mod 6 Flashcards
What is a Transaction?
A transaction is any group of related events that span time
Where can events come from?
Events can come from multiple applications or hosts
Where can events related to a single purchase from an online store?
It can span across an application server, database, and e-commerce engine
True or False: Can one email message create multiple events as it travels through various queues?
True
What does a network traffic log represent?
A single user generating a single http request
Visiting a single website normally generates what kind of http requests?
HTML, JavaScript, CSS files
Flash, images, etc
What are some of the transaction command’s characteristics?
- field-list can be one field name or a list of field names
- events are grouped into transactions based on the values of these fields
- if multiple fields are specified and a relationship exists between those fields, events with related field values are grouped into a single transaction
What are the common constraints for the transaction command?
maxspan
maxpause
startswith
endswith
When would you use the transaction command?
When you want to create a single event from a group of events
“the events must share the same value in specified field”
Transactions can cross multiple tiers such as ___ or ___
Web servers or Application servers
What command could you use at any point in the search pipeline to filter results?
The search command
“behaves exactly like search strings before the first pipe”
What does the highlight command do?
It highlights the terms you specify
example: highlight JSESSIONID
The transaction command produces additional fields, such as?
- duration - the difference between the timestamps for the first and last event in the transaction
- eventcount - the number of events in the transaction
When using the transaction command you can also?
You can also define a max overall time span and max gap between events
How would you set the overall max time span using the transaction command?
- maxspan=10m
- maximum total time between the earliest and latest events
- if not specified, default is -1 (or no limit)
How would you set the overall max gap between events using the transaction command?
- maxpause=1m
- maximum total time between events
- if not specified, default is -1 (or no limit)
Transactions spanning more than 10 minutes with the same client IP are considered?
Unrelated
There can be no more than ____ between any two related events
One minute
To form transactions based on terms, field values, or evaluations, use?
startwith and endswith options
When can transactions become really useful?
When a single event does not provide enough information
What can you use to investigate events when they don’t provide enough information?
transactions command can help narrow down what you’re looking for
What are you able to do after you have created a transaction?
You can then search and see additional events
What are some of the options you can use with the transaction command?
mid - Messsage ID
dcid - Delivery Connectiion ID
icid - Incoming Connection ID
Can you use statistics and reporting commands with the transactions command?
Yes you can
When it comes to using either transaction or stats, which one is better?
When you have a choice, use stats, it’s faster and more efficient, especially in large Splunk environments
Only use the transaction command when you?
- need to see events correlated together
- must define event grouping based on start/end values or segment on time
Use the stats command when you?
- want to see the results of a calculation
- can group events based on a field value (e.g., by src_ip)
By default what is the limit of events per transaction?
1,000 events
Is there a limit to how many events stats can return?
No such limit applies to stats
Are you able to change the limit for transactions and if so how?
Yes, you can change the limit. Admins can change the limit by configuring max_events_per_bucket in limits.conf
