Splunk Enterprise Certified Architect — Question 76

A Splunk instance has crashed, but no crash log was generated. There is an attempt to determine what user activity caused the crash by running the following search:

index=_internal sourcetype=splunkd ("pipelines finished" OR "My GUID")
| transaction startswith="My GUID" endswith="pipelines finished" keepevicted=true keeporphans=true
| search closed_txn=0
| head 1

What does searching for closed_txn=0 do in this search?

Answer options

• A. Filters results to situations where Splunk was started and stopped once.
• B. Filters results to situations where Splunk was stopped and then immediately restarted.
• C. Filters results to situations where Splunk was started, but not stopped.
• D. Filters results to situations where Splunk was started and stopped multiple times.

Correct answer: C

Explanation

The filter closed_txn=0 in this search is used to identify transactions where Splunk was started but not stopped, indicating an ongoing process or crash scenario. Options A and B incorrectly describe situations that imply a stop event, while option D refers to multiple start-stop cycles, which is not what closed_txn=0 signifies.