Splunk Core Certified Power User — Question 185

Consider the following search:
index=web sourcetype=access_combined
The log shows several events that share the same JSESSIONID value (SD421K26502F783). View the events as a group.
From the following list, which search groups events by JSESSIONID?

Answer options

• A. index-web sourcetype=access_combined | transaction JSESSIONID | search SD42IK26502F783
• B. index-web sourcetype=access_combined | highlight JSESSIONID | search SD421K26502F783
• C. index=web sourcetype=access_combined SD42IK26502F783 | table JSESSIONID
• D. index=web sourcetype=access_combined JSESSIONID <SD421K26502F783>

Correct answer: D

Explanation

The correct answer, D, uses the proper syntax to filter events by the JSESSIONID value, effectively grouping them. Option A attempts to use a transaction command which does not directly group events by a specific field in the way required. Option B highlights the JSESSIONID but does not group the events. Option C filters events but does not group them by JSESSIONID either.