When should you use the transaction command instead of the stats command?
When should you use the transaction command instead of the stats command?
The transaction command should be used when you need to group events based on start and end constraints. This command is ideal for scenarios where events need to be correlated together over a period of time, such as tracking sessions or sequences of related events. In contrast, the stats command is more efficient and faster for calculations and aggregations on large datasets where duration and sequence are not as critical.
D. When you need to group based on start and end constraints.
D - P135 F2
D is the answer.... Fun2(Page 135) transaction vs. stats • When you have a choice, use stats—it’s faster and more efficient, especially in large Splunk environments • Only use transaction when you: – Need to see events correlated together – Must define event grouping based on start/end values or segment on time • Use stats when you: – Want to see the results of a calculation – Can group events based on a field value (e.g., by src_ip) • By default, there’s a limit of 1,000 events per transaction No such limit applies to stats – Admins can change limit by configuring max_events_per_bucket in limits.conf
Answer seems D. But note: I have seen somewhere else in a different dump, A mentioned group on multiple events. In that case answer would have been A since D didn't says startswith or endswith constraints (granular)
Pretty sure it's D
Definitely D
the answer is D
When you need to group events based on multiple values in Splunk, you can use either the "stats" or the "transaction" command so therefore the answer is def D!
Ans seems to be A and D
the key word is: Grouping based on multiple values