Module 5: Correlating Events

Question 1

What is a Transaction?

Answer 1

A group of events related by having common values for one or more fields

Page 137 Mod 5

Question 2

Where can events come from?

Answer 2

Events can come from multiple sources, sourcetypes, or hosts, and can span several timestamps

Page 137 Mod 5

Question 3

Where can events related to a single purchase from an online store?

Answer 3

It can span across an application server, database, and e-commerce engine

Page 137 Mod 5

Question 4

True or False: Can one email message create multiple events as it travels through various queues?

Answer 4

True

Page 137 Mod 5

Question 5

What does a network traffic log represent?

Answer 5

A single user generating a single http request

Page 137 Mod 5

Question 6

Visiting a single website normally generates what kind of http requests?

Answer 6

HTML, JavaScript, CSS files

Flash, images, etc

Question 7

What are some of the transaction command’s characteristics?

Answer 7

• field-list can be one field name or a list of field names
• events are grouped into transactions based on the values of these fields
• if multiple fields are specified and a relationship exists between those fields, events with related field values are grouped into a single transaction

Page 138 Mod 5

Question 8

What are the common constraints for the transaction command?

Answer 8

maxspan
maxpause
startswith
endswith

Page 138 Mod 5

Question 9

When would you use the transaction command?

Answer 9

When you want to create a single event from a group of events
“the events must share the same value in specified field”

Page 140 Mod 5

Question 10

Transactions can cross multiple tiers such as ___ or ___

Answer 10

Web servers or Application servers

Page 140 Mod 5

Question 11

What command could you use at any point in the search pipeline to filter results?

Answer 11

The search command
“behaves exactly like search strings before the first pipe”

Page 141 Mod 4

Question 12

What does the highlight command do?

Answer 12

It highlights the terms you specify
example: highlight JSESSIONID

Page 141 Mod 5

Question 13

The transaction command produces additional fields, such as?

Answer 13

• duration - the difference between the timestamps for the first and last event in the transaction
• eventcount - the number of events in the transaction

Page 143 Mod 5

Question 14

When using the transaction command you can also?

Answer 14

You can also define a max overall time span and max gap between events

Page 144 Mod 5

Question 15

How would you set the overall max time span using the transaction command?

Answer 15

• maxspan=10m
• maximum total time between the earliest and latest events
• if not specified, default is -1 (or no limit)

Page 144 Mod 5

Question 16

How would you set the overall max gap between events using the transaction command?

Answer 16

• maxpause=1m
• maximum total time between events
• if not specified, default is -1 (or no limit)

Page 144 Mod 5

Question 17

Transactions spanning more than 10 minutes with the same client IP are considered?

Answer 17

Unrelated

Page 144 Mod 5

Question 18

There can be no more than ____ between any two related events

Answer 18

One minute

Page 144 Mod 5

Question 19

To form transactions based on terms, field values, or evaluations, use?

Answer 19

startwith and endswith options

Page 145 Mod 5

Question 20

When can transactions become really useful?

Answer 20

When a single event does not provide enough information

Page 146 Mod 5

Question 21

What can you use to investigate events when they don’t provide enough information?

Answer 21

transactions command can help narrow down what you’re looking for

Page 146 Mod 5

Question 22

What are you able to do after you have created a transaction?

Answer 22

You can then search and see additional events

Page 147 Mod 5

Question 23

What are some of the options you can use with the transaction command?

Answer 23

mid - Messsage ID
dcid - Delivery Connectiion ID
icid - Incoming Connection ID

Page 147 Mod 5

Question 24

Can you use statistics and reporting commands with the transactions command?

Answer 24

Yes you can

Page 148 Mod 5

Question 25

When it comes to using either transaction or stats, which one is better?

Answer 25

When you have a choice, use stats, it’s faster and more efficient, especially in large Splunk environments

Page 149 Mod 5

Question 26

Only use the transaction command when you?

Answer 26

• need to see events correlated together
• must define event grouping based on start/end values or segment on time

Page 149 Mod 5

Question 27

Use the stats command when you?

Answer 27

• want to see the results of a calculation
• can group events based on a field value (e.g., by src_ip)

Page 149 Mod 5

Question 28

By default what is the limit of events per transaction?

Answer 28

1,000 events

Page 149 Mod 5

Question 29

Is there a limit to how many events stats can return?

Answer 29

No such limit applies to stats

Page 149 Mod 5

Question 30

Are you able to change the limit for transactions and if so how?

Answer 30

Yes, you can change the limit. Admins can change the limit by configuring max_events_per_bucket in limits.conf

Page 149 Mod 5