Splunk Core Certified Power User — Question 23

To identify all of the contributing events within a transaction that contain at least one REJECT event, which syntax is correct?

Answer options

• A. index=main REJECT | transaction sessionid
• B. index=main | transaction sessionid | search REJECT
• C. index=main | transaction sessionid | where transaction=reject
• D. index=main | transaction sessionid | where transaction="REJECT*"

Correct answer: B

Explanation

Option B is correct because it first identifies the events in the main index, groups them by sessionid, and then searches for those that include a REJECT event. Option A incorrectly places REJECT before the transaction command, which would not correctly filter the transactions. Options C and D use the 'where' clause incorrectly, as they do not effectively filter for the presence of a REJECT event within the transactions.