Splunk Core Certified Power User — Question 45

When should you use the transaction command instead of the stats command?

Answer options

• A. When you need to group on multiple values.
• B. When duration is irrelevant in search results.
• C. When you have over 1000 events in a transaction.
• D. When you need to group based on start and end constraints.

Correct answer: D

Explanation

The correct answer is D because the transaction command is specifically designed to group events based on defined start and end conditions. Options A, B, and C do not accurately describe the unique functionality of the transaction command, as they pertain to different grouping or limitations that do not warrant its use.