Exam SPLK-1002 topic 1 question 65 discussion

Answer is D. The argument maxspan=1d will join events to one transaction by status per day. You would see the curve lines on graph if answer C is right, cause graph values are shown with span=12h

C is the right answer.

Should be C, because the question is asking for "similar," not exact, and C is the classiest

C or D

I tested it and C gives similar result. what I tried : index=web sourcetype=access_combined | fields sourcetype, status | transaction status maxspan=1d | timechart count by status

C is the correct answer

what is the correct answ C or D?

C works, tested with different sourcetype that has the same status field with skipped and success index=_internal sourcetype=scheduler | fields sourcetype, status | transaction status maxspan=1d | timechart count by status

https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Transaction maxspan Syntax: maxspan=<int>[s | m | h | d] Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The events in the transaction must span less than integer specified for maxspan. Events that exceed the maxspan limit are treated as part of a separate transaction. If the value is negative, the maxspan constraint is disabled and there is no limit. Default: -1 (no limit)

could you pls confirm the final answer friends?

Tested . C appears to be correct

While I was on playing around with the Splunk training data (sourcetype=access_combined_wcookie), seems C produces the same type linechart graph (assuming the status field has only 2 values in the events skipped and success)..

I would go for answer D: (fields sourcetype, status are not equal to skipped and succes)