Module 6 Correlating Events Flashcards

1
Q

what is a transaction?

A

A transaction is any group of related events that span time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False transaction events can come from multiple hosts?

A

True
for example a single purchase online will traverse across multiple systems, app server, DB, e-commerce engine etc these will make up a transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the common constraints for Transaction command?

A

maxspan
maxpause
startswith
endswith

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

where can the search command be used with the transaction command?

A

it can be used at any point in the search pipeline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what does the highlight command do?

A

it highlight the fields specified in the command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what additional fields does the transaction command produce?

A

duration- difference between first and last timestamp

eventcount- the number of events in the transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how do you define the maximum time span for the transaction?

A

maxspan=

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

how do you define the maximum time between events

A

maxpause=

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what is the maximum time allowed between any two related events?

A

1 minute

note transactions spanning more than 10 minutes with the same client IP are considered unrelated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

when using the transaction command when would you use startswith and endswith arguments?

A

to form transactions based on terms, fields or evaluations.

index=web sourcetype….
| transaction clientip JSESIONID startswith=eval(action=”addtocart”)
endswith=eval(action=”purchase”)
| table clientip, JSESSIONID, duration, eventcount

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

when are transactions most useful?

A

when a single event does not provide enough detail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True or False?

you can’t use statistics and reporting commands with transactions

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

why would you use stats instead of transactions?

A

it is faster and more efficient– especially in large Splunk environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When do you use transactions?

A
  • when you need to see events correlated together

- must define event grouping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

when do you use stats?

A
  • Want to see results of a calculation

- can group base on a filed value (eg by src-ip)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what is the default limit of events per transaction?

A

1000

no such limit in stats

17
Q

True or False

the default limit of 100 events for a transaction can’t be changed

A

False

-Admin can change the limit in max_events_per_bucket in the limits.conf file