Module 5: Correlating Events Flashcards

1
Q

What is a Transaction?

A

A group of events related by having common values for one or more fields

Page 137 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where can events come from?

A

Events can come from multiple sources, sourcetypes, or hosts, and can span several timestamps

Page 137 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where can events related to a single purchase from an online store?

A

It can span across an application server, database, and e-commerce engine

Page 137 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True or False: Can one email message create multiple events as it travels through various queues?

A

True

Page 137 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does a network traffic log represent?

A

A single user generating a single http request

Page 137 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Visiting a single website normally generates what kind of http requests?

A

HTML, JavaScript, CSS files

Flash, images, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some of the transaction command’s characteristics?

A
  • field-list can be one field name or a list of field names
  • events are grouped into transactions based on the values of these fields
  • if multiple fields are specified and a relationship exists between those fields, events with related field values are grouped into a single transaction

Page 138 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the common constraints for the transaction command?

A

maxspan
maxpause
startswith
endswith

Page 138 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When would you use the transaction command?

A

When you want to create a single event from a group of events
“the events must share the same value in specified field”

Page 140 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Transactions can cross multiple tiers such as ___ or ___

A

Web servers or Application servers

Page 140 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What command could you use at any point in the search pipeline to filter results?

A

The search command
“behaves exactly like search strings before the first pipe”

Page 141 Mod 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the highlight command do?

A

It highlights the terms you specify
example: highlight JSESSIONID

Page 141 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The transaction command produces additional fields, such as?

A
  • duration - the difference between the timestamps for the first and last event in the transaction
  • eventcount - the number of events in the transaction

Page 143 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When using the transaction command you can also?

A

You can also define a max overall time span and max gap between events

Page 144 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How would you set the overall max time span using the transaction command?

A
  • maxspan=10m
  • maximum total time between the earliest and latest events
  • if not specified, default is -1 (or no limit)

Page 144 Mod 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How would you set the overall max gap between events using the transaction command?

A
  • maxpause=1m
  • maximum total time between events
  • if not specified, default is -1 (or no limit)

Page 144 Mod 5

17
Q

Transactions spanning more than 10 minutes with the same client IP are considered?

A

Unrelated

Page 144 Mod 5

18
Q

There can be no more than ____ between any two related events

A

One minute

Page 144 Mod 5

19
Q

To form transactions based on terms, field values, or evaluations, use?

A

startwith and endswith options

Page 145 Mod 5

20
Q

When can transactions become really useful?

A

When a single event does not provide enough information

Page 146 Mod 5

21
Q

What can you use to investigate events when they don’t provide enough information?

A

transactions command can help narrow down what you’re looking for

Page 146 Mod 5

22
Q

What are you able to do after you have created a transaction?

A

You can then search and see additional events

Page 147 Mod 5

23
Q

What are some of the options you can use with the transaction command?

A

mid - Messsage ID
dcid - Delivery Connectiion ID
icid - Incoming Connection ID

Page 147 Mod 5

24
Q

Can you use statistics and reporting commands with the transactions command?

A

Yes you can

Page 148 Mod 5

25
Q

When it comes to using either transaction or stats, which one is better?

A

When you have a choice, use stats, it’s faster and more efficient, especially in large Splunk environments

Page 149 Mod 5

26
Q

Only use the transaction command when you?

A
  • need to see events correlated together
  • must define event grouping based on start/end values or segment on time

Page 149 Mod 5

27
Q

Use the stats command when you?

A
  • want to see the results of a calculation
  • can group events based on a field value (e.g., by src_ip)

Page 149 Mod 5

28
Q

By default what is the limit of events per transaction?

A

1,000 events

Page 149 Mod 5

29
Q

Is there a limit to how many events stats can return?

A

No such limit applies to stats

Page 149 Mod 5

30
Q

Are you able to change the limit for transactions and if so how?

A

Yes, you can change the limit. Admins can change the limit by configuring max_events_per_bucket in limits.conf

Page 149 Mod 5