Splunk Core Certified Power User — Question 8

When should transaction be used?

Answer options

• A. Only in a large distributed Splunk environment.
• B. When calculating results from one or more fields.
• C. When event grouping is based on start/end values.
• D. When grouping events results in over 1000 events in each group.

Correct answer: C

Explanation

The correct answer is C because transactions are designed to group events based on their start and end timestamps, which helps in analyzing related events. Option A is incorrect as transactions can be useful in various environments, not just large ones. Option B is misleading because it suggests calculations rather than grouping, and option D is not a defining condition for using transactions, as they are based on start/end values rather than the number of events.