Splunk
SPLK-5002 · Question #68
SPLK-5002 Question #68: Real Exam Question with Answer & Explanation
Sign in or unlock SPLK-5002 to reveal the answer and full explanation for question #68. The question stem and answer options stay visible for context.
Question
Consider the following series of events: 4:00 GMT Detection runs for interval 3:30-4:00 4:30 GMT Detection runs for interval 4:00-4:30 4:35 GMT Event 1 occurs on an endpoint 4:45 GMT Event 1 is indexed 5:00 GMT Detection runs for interval 4:30-5:00 5:05 GMT Event 1 finding is added to ES with timestamp 4:35 5:24 GMT Event 2 occurs on an endpoint 5:30 GMT Detection runs for interval 5:00-5:30 5:35 GMT Event 2 is indexed 6:00 GMT Detection runs for interval 5:30-6:00 What is the problem with the detection schedule chosen and how can it be solved?
Options
- AThe time window for the detection is too large, causing duplicate alerts.
- BThe logs are delayed so the detection time window needs to be increased.
- CThe time window for the detection is too small, causing duplicate alerts.
- DThe logs are delayed so the detection time window needs to be decreased.
Unlock SPLK-5002 to see the answer
You've previewed enough free SPLK-5002 questions. Unlock SPLK-5002 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.