Module 6 Correlating Events Flashcards
what is a transaction?
A transaction is any group of related events that span time
True or False transaction events can come from multiple hosts?
True
for example a single purchase online will traverse across multiple systems, app server, DB, e-commerce engine etc these will make up a transaction
what are the common constraints for Transaction command?
maxspan
maxpause
startswith
endswith
where can the search command be used with the transaction command?
it can be used at any point in the search pipeline
what does the highlight command do?
it highlight the fields specified in the command
what additional fields does the transaction command produce?
duration- difference between first and last timestamp
eventcount- the number of events in the transaction
how do you define the maximum time span for the transaction?
maxspan=
how do you define the maximum time between events
maxpause=
what is the maximum time allowed between any two related events?
1 minute
note transactions spanning more than 10 minutes with the same client IP are considered unrelated
when using the transaction command when would you use startswith and endswith arguments?
to form transactions based on terms, fields or evaluations.
index=web sourcetype….
| transaction clientip JSESIONID startswith=eval(action=”addtocart”)
endswith=eval(action=”purchase”)
| table clientip, JSESSIONID, duration, eventcount
when are transactions most useful?
when a single event does not provide enough detail
True or False?
you can’t use statistics and reporting commands with transactions
False
why would you use stats instead of transactions?
it is faster and more efficient– especially in large Splunk environments
When do you use transactions?
- when you need to see events correlated together
- must define event grouping
when do you use stats?
- Want to see results of a calculation
- can group base on a filed value (eg by src-ip)