Q: 1
Which of the following describes the I transaction command?
Options
Discussion
A or C, these Splunk questions drive me nuts sometimes. Sticking with A for now.
I don't think it's A, actually. Trap is that transaction doesn't require at least two events, so C.
A is wrong, C. The transaction command doesn't require at least two events, so C is more accurate for what the command does in Splunk. Pretty sure the docs back this up but if anyone's seen a scenario where A fits better, let me know.
C, No explanation needed, transaction just groups events by field values. Open to a different take but this is what matches the SPL docs.
Maybe A here. The "at least two events" part seems like how transaction is often used since you need more than one to actually group, right? Not totally sure since some docs say it works on single events too, but A makes sense to me if you think about grouping. Not locking it in though, open to feedback.
I've seen similar on the exam and official guide, I'm leaning toward A.
Had something like this in a mock, went with C.
C is the best fit here. Transaction groups events based on shared values, but it doesn't require a minimum of two-single events can be grouped too. I think C is more accurate than A, but open to discussion if anyone disagrees.
D , A is a trap because transaction can group single events too.
C imo, since the transaction command is used to group related events by matching field values, like clientip or session. Pretty sure it's not about moving data between indexes or systems. Anyone pick something else?
Be respectful. No spam.
