SPLK-3003 Exam - Question 65

Question

Consider the search shown below. What is this search's intended function?

Examice · Accepted Answer

The search begins by finding the latest time (_time) of a high severity, denied event in the firewall index. It then calculates a time window from two hours before to two hours after this event. Finally, it searches the web_log events in the web index that fall within this time window. Therefore, the intended function is to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.

Giodada · Answer

A is correct because there is a stats command inside the subsearch

frappe · Answer

A mentions most recent, and the search has stats latest(_time) in its subsearch

Nemo72 · Answer

A is correct

sunil299 · Answer

C appear correct to me, as latest has +2 hour. so 2 hours before and after events

nutsu · Answer

A, because used stats lastest time

jcisco123 · Answer

The correct answer is A. The search is intended to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
The intended function of this search is to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index. The subsearch within square brackets is searching the firewall index for the most recent high severity, denied event, and using the status command to get the latest time for that event. The eval command is then used to create earliest and latest fields for the web_log search, based on the time of the most recent denied event. The fields command at the end is used to limit the fields returned to earliest and latest.

SPLK-3003 Exam - Question 65

Discussion