Splunk SPLK-2001 Splunk Certified Developer Exam Exam Practice Test

 The correct answer is A, B, and C because these are the possible reasons why the dashboard is not seen after moving myApp to a different Splunk instance. Option A is correct because if the dashboard’s permissions were set to private, only the owner of the dashboard can see it on the new instance. Option B is correct because if the user role permissions are different on the new instance, the user may not have access to the dashboard. Option C is correct because if the admin deleted the myApp/local directory before packaging, the dashboard configuration may have been lost. Option D is incorrect because changes placed in $SPLUNK_HOME/etc/apps/search/default/data/ui/nav do not affect the visibility of the dashboard. You can find more information about dashboard permissions and configuration in the Splunk Developer Guide.

The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

 The element in a successful Splunk REST call response contains metadata encapsulating the element. The metadata includes information such as the title, author, updated time, and links of the entry. The content element contains the fields and values of the entry, such as the name, description, and configuration. The other options are either incorrect or not part of the element. For more information, see Access Splunk data using feeds.

The requirements for arguments sent to the data/indexes endpoint are to specify the datatype and include the name argument. The datatype argument specifies the type of data that is being indexed, such as event, metric, or http. The name argument specifies the name of the index that is being created or updated. The other arguments are either optional or invalid. For more information, see Create an index.

The correct answer is A, B, and D, because they are all items that can be configured in inputs.conf. Inputs.conf is a configuration file that defines how Splunk ingests data from various sources, such as files, directories, network ports, scripts, or modular inputs. A modular input written in Python is a type of input that allows Splunk to ingest data from a custom source using a Python script. A file input monitoring a JSON file is a type of input that allows Splunk to monitor a file or directory for new or updated data in JSON format. An HTTP Event Collector as receiver of data from an app is a type of input that allows Splunk to receive data from an app via HTTP or HTTPS requests. A custom search command written in Python is not an item that can be configured in inputs.conf, but in commands.conf.

 The reserved field names in a KV Store are _key and _user. The _key field is a unique identifier for each record in a KV Store collection, and the _user field is the owner of the record. The other fields are not reserved, and can be used as custom fields in a KV Store collection. For more information, see KV Store field names.

The correct answer is B, because an HTTP header field is an intended use of HTTP Event Collector tokens. An HTTP Event Collector token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token can be specified in the Authorization header field of the HTTP request, using the format Authorization: Splunk  2. The other options are incorrect because they are not valid ways to use an HEC token. A cookie is a small piece of data stored by the web browser, not by Splunk. A JSON field in the HTTP request is used to specify the event data or metadata, not the HEC token. A password in conjunction with login is not related to HEC, but to Splunk Web or REST API authentication.

The correct answer is C and D, because they are both statements that describe an HEC token. An HEC token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token is a GUID (globally unique identifier), which is a 32-character hexadecimal string that is randomly generated. An HEC token can be created in Splunk Web or using REST endpoints, depending on the preference of the user. An HEC token does not map to a Splunk user, but to a specific index or set of indexes where the data will be stored. An HEC token cannot be used to download data, but only to send data to Splunk.

The correct answer is A, because the correct post-process syntax for the base search shown below is var mypostproc1 = new PostProcessManager {{ id: “post1”, managerid: “base-search”, search: “| stats count by sourcetype” }}. The PostProcessManager is a JavaScript object that creates a post-process search that runs on the results of a base search. The PostProcessManager requires three parameters: id, managerid, and search. The id is a unique identifier for the post-process search. The managerid is the id of the base search that the post-process search depends on. The search is the post-process search string that runs on the base search results. The other options are incorrect because they either use the wrong managerid, the wrong object name, or the wrong search string.

The correct answer is A, because data can be added to a KV Store collection only in JSON format. KV Store is a feature that allows Splunk to store and manage data in collections of key-value pairs. A KV Store collection is a logical grouping of key-value pairs that can be accessed and manipulated by Splunk apps. Data can be added to a KV Store collection either by using the Splunk Web interface, the Splunk REST API, or the Splunk SDKs. In all cases, the data must be formatted as JSON objects, which are collections of name-value pairs enclosed in curly braces1. The other formats, such as XML, CSV, and TXT, are not supported by KV Store.

The correct answer is A because the namespace is a type of token filter. The namespace is a parameter that can be used to filter the tokens returned by the REST API. The namespace consists of the user and the app context, which determine the scope and visibility of the knowledge objects in Splunk. Option B is incorrect because the namespace can include a wildcard (*) for the app attribute, which means it will return tokens from all apps. Option C is incorrect because the namespace does not filter the knowledge objects returned by the REST API, but rather the tokens that reference them. Option D is incorrect because the namespace does filter the tokens returned by the REST API, based on the user and app context. You can find more information about the namespace and the token filter in the Splunk REST API Reference Manual.

The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the Splunk REST API Reference Manual.

The log file that contains logs that are most relevant to Splunk Web is web_service.log. This log file records information about the web server that runs Splunk Web, such as requests, responses, errors, and performance. The other log files contain logs that are related to other aspects of Splunk, such as audit.log for security events, metrics.log for performance metrics, and splunkd.log for Splunk daemon activity. For more information, see [About Splunk log files].

The correct answer is C, because the XML reference for the file myJS.js located in myOtherApp is . The script attribute specifies the path to the JavaScript file that contains the custom logic for the dashboard. The path must start with the app name, followed by a colon, and then the relative path to the file within the appserver/static folder of the app. The other options are incorrect because they either omit the app name, the colon, or the javascript subfolder.

The valid format for a Splunk REST URI is scheme://host:port/services/endpoint. This format specifies the scheme (http or https), the host (the Splunk server name or IP address), the port (the Splunk management port, usually 8089), the services prefix (which indicates a Splunk REST endpoint), and the endpoint (the specific resource or action to access). The other formats are either incomplete or invalid. For more information, see About the Splunk REST API.

 The correct answer is B and D, because they are the ways to optimize the searches in the dashboard. A dashboard is a user interface that displays data from one or more searches in various panels, such as charts, tables, or maps. Optimizing the searches in the dashboard helps to improve the dashboard performance, reduce the load on the Splunk server, and enhance the user experience. Restricting the time range of the search as much as possible and converting the common SPL into a Global Search and converting the other searches to post-processing searches are both methods to optimize the searches in the dashboard by limiting the amount of data to be searched or processed. Converting searches to include NOT expressions and replacing | stats command with | transaction command wherever possible are not methods to optimize the searches in the dashboard, but rather ways to change the search logic or functionality, which might not produce the desired results.

The types of event handlers are set token and form input. Set token event handlers let you set or unset tokens based on user interactions, such as clicking on a chart or selecting a value from a dropdown. Form input event handlers let you create interactive forms that use tokens to pass values between inputs and searches. The other options are not event handlers, but rather components of a dashboard. For more information, see Event handlers overview.

 The correct answer is B, C, and D, because they are all valid parent elements for the event action shown below. The event action is a element, which is used to set the value of a token based on a user interaction, such as a click or a change. The element can be nested inside a , a , or a element, depending on the type and context of the event. The element is not a valid parent element for the element, but a sibling element that can be used to evaluate an expression and set the value of a token.

The correct answer is D, because defining an alternative search or target view to use is a customization option for the Open in Search panel link button. The Open in Search panel link button is a feature that allows the user to open the search results of a panel in a new search page. The alternative search or target view option allows the user to specify a different search string or a different view name to use when opening the search page4. The other options are not customization options for the Open in Search panel link button, but for the panel itself. Displaying the refresh time, showing the Export Results button, and showing link buttons at the bottom of a panel are all attributes that can be configured for a panel.

The valid request arguments for the REST search endpoints are latest_time=now and earliest_time=-5h@h. These arguments specify the time range for the search, using relative or absolute time modifiers. The other arguments are invalid because they use rt (real-time) modifiers, which are not supported by the REST search endpoints. For more information, see [Specify time modifiers in your search].

The correct answer is C, because omitting the value of _key from the REST endpoint would cause all records in a collection to be deleted. The _key is a unique identifier for each record in a KV Store collection. The REST endpoint for deleting a record from a collection is /storage/collections/data//, where is the name of the collection and is the value of _key. If the is omitted, the REST endpoint becomes /storage/collections/data/, which deletes all records in the collection. The other options are incorrect because they are not the consequences of omitting the value of _key from the REST endpoint. Cleaning the KV store, deleting all content would require deleting all collections, not just one. Producing the syntax error “Key value missing” would not happen, because the REST endpoint is valid without the value. Meaning that the _key value must be passed as an argument would not make sense, because the argument is the same as the value in the REST endpoint.