Splunk Enterprise Certified Architect — Question 28
What is this search trying to determine?
index=_internal sourcetype=splunkd ("pipelines finished" OR "My GUID")
| transaction startswith="My GUID" endswith="pipelines finished" keepevicted=true keeporphans=true
| search closed_txn=0
Answer options
- A. splunkd crash.
- B. Failed user logon.
- C. Total indexing volume.
- D. Missing input source.
Correct answer: A
Explanation
The search is designed to identify instances where the Splunk daemon (splunkd) has crashed, as indicated by the use of the 'pipelines finished' message and the absence of closed transactions. The other options do not relate to the focus on transaction states and the specific messages being monitored in this query.