exam questions

Exam SPLK-3001 All Questions

View all questions & answers for the SPLK-3001 exam

Exam SPLK-3001 topic 1 question 70 discussion

Actual exam question from Splunk's SPLK-3001
Question #: 70
Topic #: 1
[All SPLK-3001 Questions]

A set of correlation searches are enabled at a new ES installation, and results are being monitored. One of the correlation searches is generating many notable events which, when evaluated, are determined to be false positives.
What is a solution for this issue?

  • A. Suppress notable events from that correlation search.
  • B. Disable acceleration for the correlation search to reduce storage requirements.
  • C. Modify the correlation schedule and sensitivity for your site.
  • D. Change the correlation search's default status and severity.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
guirax
Highly Voted 2 years, 6 months ago
C is correct Adjust correlation search sensitivity – False positives: returning results when none are actually there – False negatives: returning no results when something is expected Administering Splunk Enterprise Security page 224
upvoted 7 times
...
jaemon22
Most Recent 3 weeks, 6 days ago
Selected Answer: C
By modifying the correlation search's schedule and sensitivity, you can adjust how frequently the search runs and the criteria it uses to generate notable events. This can help reduce the number of false positives by making the search conditions more stringent or reducing the frequency of the search to better match your environment. Suppression and changing status or severity do not address the root cause of false positives, while modifying the schedule and sensitivity directly impacts the detection criteria.
upvoted 1 times
...
hesbee
10 months, 4 weeks ago
Selected Answer: C
C is the correct answer.
upvoted 1 times
...
qtygbapjpesdayazko
1 year, 2 months ago
Selected Answer: C
C. Modify the correlation schedule and sensitivity
upvoted 2 times
...
huu_nguyen
1 year, 8 months ago
C should be the answer. A is not correct since we cannot suppress a high volume of notable events manually. There will be thousands of them
upvoted 3 times
...
noysherer
2 years, 6 months ago
Selected Answer: A
I also think the answer is A
upvoted 3 times
...
_adem
2 years, 8 months ago
Think answer should be A.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago