Splunk Core Certified Power User — Question 52
Which of the following statements describe the search below? (Choose all that apply.) index=main | transaction clientip host maxspan=30s maxpause=5s
Answer options
- A. Events in the transaction occurred within 5 seconds.
- B. It groups events that share the same clientip and host.
- C. The first and last events are no more than 5 seconds apart.
- D. The first and last events are no more than 30 seconds apart
Correct answer: B, D
Explanation
Option B is correct because the transaction command groups events based on shared clientip and host fields. Option D is also correct since maxspan=30s allows the first and last events in the transaction to be up to 30 seconds apart. Options A and C are incorrect as they refer to the maxpause of 5 seconds, which only limits the pause between events, not the total span between the first and last events.