Consider the search shown below.
What is this search's intended function?
Exam SPLK-3003 All QuestionsBrowse all questions from this exam
Question 65
Correct Answer: A
The search begins by finding the latest time (_time) of a high severity, denied event in the firewall index. It then calculates a time window from two hours before to two hours after this event. Finally, it searches the web_log events in the web index that fall within this time window. Therefore, the intended function is to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
Discussion
GiodadaOption: A
A is correct because there is a stats command inside the subsearch
frappeOption: A
A mentions most recent, and the search has stats latest(_time) in its subsearch
jcisco123Option: A
The correct answer is A. The search is intended to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index. The intended function of this search is to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index. The subsearch within square brackets is searching the firewall index for the most recent high severity, denied event, and using the status command to get the latest time for that event. The eval command is then used to create earliest and latest fields for the web_log search, based on the time of the most recent denied event. The fields command at the end is used to limit the fields returned to earliest and latest.
nutsuOption: A
A, because used stats lastest time
sunil299Option: C
C appear correct to me, as latest has +2 hour. so 2 hours before and after events
k3115807
C is wrong, because stats latest(_time). This means current time, not all time
Nemo72Option: A
A is correct