When using the transaction command, how are evicted transactions identified?
Correct Answer: A
The transaction command is a Splunk command that finds transactions based on events that meet various constraints1. Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member1. The transaction command adds some fields to the raw events that are part of the transaction12. These fields are: duration: The difference, in seconds, between the timestamps for the first and last events in the transaction12. eventcount: The number of events in the transaction12. closed_txn: A Boolean field that indicates whether the transaction is closed or evicted2. A transaction is closed if it meets one of the following conditions: maxevents, maxpause, maxspan, or startswith2. A transaction is evicted if it does not meet any of these conditions and exceeds the memory limit specified by maxopentxn or maxopenevents23. Therefore, evicted transactions can be distinguished from non-evicted transactions by checking the value of the closed_txn field. The closed_txn field is set to 0, or false, for evicted transactions and 1, or true for non-evicted, or closed, transactions23.
Question 48
What is the relationship between data models and pivots?
Correct Answer: A
The relationship between data models and pivots is that data models provide the datasets for pivots. Data models are collections of datasets that represent your data in a structured and hierarchical way. Data models define how your data is organized into objects and fields. Pivots are user interfaces that allow you to create data visualizations that present different aspects of a data model. Pivots let you select options from menus and forms to create charts, tables, maps, etc., without writing any SPL code. Pivots use datasets from data models as their source of data. Pivots and data models are not the same thing, as pivots are tools for visualizing data models. Pivots do not provide datasets for data models, but rather use them as inputs. Therefore, only statement A is true about the relationship between data models and pivots.
