Q: 6
To identify all of the contributing events within a transaction that contains at least one REJECT event,
which syntax is correct?
Options
Discussion
That makes sense, B. Only option B uses the transaction command in SPL correctly and then pipes to search REJECT to find all the events within those transactions. Let me know if anyone's seen this done another way.
My pick: B, that's how you'd get all events for sessions with at least one REJECT event. Seen this format in Splunk docs.
I would choose C here.
B is the right one. Only B uses
transaction then | search REJECT to show all related events when any event in a session has REJECT. Pretty sure C and D aren't valid syntax in SPL, but open to being proven wrong.Is it possible that C or D would work in any SPL version? I haven't seen 'whose' or 'where transaction=reject' as valid operators in Splunk. Pretty sure B is the only one that grabs all events from sessions containing a REJECT event after grouping by sessionid, just like I've seen on actual exam reports.
C/D? But I think B is right since only B properly uses
transaction then filters with | search REJECT. C looks like a trap with invalid SPL syntax. If anyone's seen another way, let me know.I remember a similar scenario from labs. in practice, it’s B.
B or maybe C at a glance, but actually B is the valid one. The
| search REJECT at the end lets you keep all events from sessions where at least one REJECT event exists, not just filtering for only those events. In SPL, C isn't proper syntax anyway. Unless I'm missing some new feature? Let me know if you see it otherwise.I don’t think A makes sense. B groups by sessionid then filters on transactions containing REJECT, which means you get all related events for those sessions. That’s how SPL transaction works as far as I know. Correct me if I’m off!
Its B, since C tries to use "transaction=reject" which isn't valid SPL syntax. Pretty sure about B from similar exam questions.
Be respectful. No spam.
