Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Power User Splunk > Correlating Events Mod 6 > Flashcards

Correlating Events Mod 6 Flashcards

1
Q

What is a Transaction?

A

A transaction is any group of related events that span time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where can events come from?

A

Events can come from multiple applications or hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where can events related to a single purchase from an online store?

A

It can span across an application server, database, and e-commerce engine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True or False: Can one email message create multiple events as it travels through various queues?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does a network traffic log represent?

A

A single user generating a single http request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Visiting a single website normally generates what kind of http requests?

A

HTML, JavaScript, CSS files

Flash, images, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some of the transaction command’s characteristics?

A
  • field-list can be one field name or a list of field names
  • events are grouped into transactions based on the values of these fields
  • if multiple fields are specified and a relationship exists between those fields, events with related field values are grouped into a single transaction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the common constraints for the transaction command?

A

maxspan
maxpause
startswith
endswith

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When would you use the transaction command?

A

When you want to create a single event from a group of events
“the events must share the same value in specified field”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Transactions can cross multiple tiers such as ___ or ___

A

Web servers or Application servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What command could you use at any point in the search pipeline to filter results?

A

The search command

“behaves exactly like search strings before the first pipe”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the highlight command do?

A

It highlights the terms you specify

example: highlight JSESSIONID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The transaction command produces additional fields, such as?

A
  • duration - the difference between the timestamps for the first and last event in the transaction
  • eventcount - the number of events in the transaction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When using the transaction command you can also?

A

You can also define a max overall time span and max gap between events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How would you set the overall max time span using the transaction command?

A
  • maxspan=10m
  • maximum total time between the earliest and latest events
  • if not specified, default is -1 (or no limit)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How would you set the overall max gap between events using the transaction command?

A
  • maxpause=1m
  • maximum total time between events
  • if not specified, default is -1 (or no limit)
17
Q

Transactions spanning more than 10 minutes with the same client IP are considered?

A

Unrelated

18
Q

There can be no more than ____ between any two related events

A

One minute

19
Q

To form transactions based on terms, field values, or evaluations, use?

A

startwith and endswith options

20
Q

When can transactions become really useful?

A

When a single event does not provide enough information

21
Q

What can you use to investigate events when they don’t provide enough information?

A

transactions command can help narrow down what you’re looking for

22
Q

What are you able to do after you have created a transaction?

A

You can then search and see additional events

23
Q

What are some of the options you can use with the transaction command?

A

mid - Messsage ID
dcid - Delivery Connectiion ID
icid - Incoming Connection ID

24
Q

Can you use statistics and reporting commands with the transactions command?

A

Yes you can

25
Q

When it comes to using either transaction or stats, which one is better?

A

When you have a choice, use stats, it’s faster and more efficient, especially in large Splunk environments

26
Q

Only use the transaction command when you?

A
  • need to see events correlated together

- must define event grouping based on start/end values or segment on time

27
Q

Use the stats command when you?

A
  • want to see the results of a calculation

- can group events based on a field value (e.g., by src_ip)

28
Q

By default what is the limit of events per transaction?

A

1,000 events

29
Q

Is there a limit to how many events stats can return?

A

No such limit applies to stats

30
Q

Are you able to change the limit for transactions and if so how?

A

Yes, you can change the limit. Admins can change the limit by configuring max_events_per_bucket in limits.conf

Power User Splunk (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions