SPLK-2001 Sample Questions Answers

The correct answer is A, because tokenn​ame∣s ensures that quotation marks surround the value referenced by the token. The |s modifier is used to escape special characters in the token value, such as quotation marks, commas, and colons. This is useful when the token value is used in a search string or a drilldown action1. The other options are incorrect because they either do not escape the special characters or add extra quotation marks.

It uses the $row.field|n$ syntax to reference the value of the link field in each row of the table. This syntax is used to create dynamic links in Simple XML dashboards. The other options are incorrect because they either use invalid syntax or do not reference the link field correctly. You can find more information about dynamic drill-downs and link syntax in the Splunk Developer Guide.

The HTTP Event Collector (HEC) endpoint that should be used to collect data in the given format is services/collector/raw. This endpoint accepts raw data that is not formatted as JSON, such as plain text or XML. The data format is specified by the sourcetype parameter in the request. The other endpoints are either used for different purposes or do not exist. For more information, see Use the raw HEC endpoint.

The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

 The correct answer is B, C, and D because these are the characteristics of an add-on. An add-on is a Splunk app that provides reusable components or technology for other apps. Option B is correct because an add-on occupies a unique namespace within Splunk, which means it has its own app directory and configuration files. Option C is correct because an add-on can depend on other add-ons for correct operation, such as the Common Information Model Add-on. Option D is correct because an add-on contains technology or components that are not intended for reuse by other apps, such as data inputs, field extractions, lookups, and modular inputs. Option A is incorrect because an add-on does not require a navigation file, as it does not have any user interface elements. You can find more information about add-ons in the Splunk Developer Guide.

The correct answer is B, C, and D, because they are all ways to reduce the results size in the results when the search/jobs REST endpoint is called to execute a search. The search/jobs REST endpoint is used to create, manage, and control search jobs in Splunk. The results size in the results refers to the amount of data returned by the search job, which can affect the performance and efficiency of the search. Removing unneeded fields, truncating the data using selective functions, and summarizing the data using analytic commands are all methods to reduce the results size by filtering, limiting, or aggregating the data. Using a generating search is not a way to reduce the results size, but a way to create a search job that does not use the index, but instead generates its own data3.

The endpoint that is used to authenticate with the Splunk REST API is /services/auth/login. This endpoint returns a session key that can be used for subsequent requests to the Splunk REST API. The other endpoints are either invalid or used for different purposes. For more information, see Authenticate with the Splunk REST API.

When output_mode is not used, the title element of a feed is a human readable name for a returned entry. The title element contains the name of the object, such as the name of a saved search or a dashboard. The other elements are not human readable names, but rather identifiers, links, or authors of the entry. For more information, see Access Splunk data using feeds.

The correct answer is A, B, and D because these are the statements that are true regarding HEC (HTTP Event Collector) tokens. HEC tokens are unique identifiers that are used to authenticate and authorize the data sent to HEC, which is a service that allows you to send data to Splunk via HTTP or HTTPS. Option A is correct because multiple tokens can be created for use with different sourcetypes and indexes, which are the attributes that define the data type and the location of the data in Splunk. Option B is correct because the edit token http admin role capability is required to create a token, which is a permission that allows the user to manage the HEC tokens. Option D is correct because tokens can be edited using the data/inputs/http/{tokenName} endpoint, which is a REST endpoint that allows you to update the properties of a specific HEC token. Option C is incorrect because to create a token, you need to send a POST request to the data/inputs/http endpoint, not the services/collector endpoint. The services/collector endpoint is used to send data to HEC, not to create tokens. You can find more information about HEC tokens and their endpoints in the Splunk Developer Guide.

The URL that could be used to construct a REST request to search the employee KV Store collection to find records with a rating greater than or equal to 2 and less than 5 is ‘http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22$and%22:[{%22rating%22:{%22$gte%22:2}},{%22rating%22:{% 22$lt%22:5}}]} &output_mode=json’. This URL uses the query parameter with a valid JSON expression that specifies the rating criteria, and the output_mode parameter with a value of json to return the results in JSON format. The other URLs are either invalid or use incorrect syntax for the query parameter. For more information, see Search a KV Store collection.

 The reserved field names in a KV Store are _key and _user. The _key field is a unique identifier for each record in a KV Store collection, and the _user field is the owner of the record. The other fields are not reserved, and can be used as custom fields in a KV Store collection. For more information, see KV Store field names.

 The correct answer is A, C, and D because these are the application security best practices that should be adhered to while developing an app for Splunk. Option A is correct because reviewing the OWASP Top Ten List can help you identify and avoid the most common web application security risks. Option C is correct because reviewing the OWASP Secure Coding Practices Quick Reference Guide can help you learn and apply the best practices for secure coding. Option D is correct because ensuring that third-party libraries that the app depends on have no outstanding CVE vulnerabilities can help you prevent potential exploits and attacks. Option B is incorrect because storing passwords in clear text in .conf files is a bad practice that can compromise the security and privacy of your app and your data. You can find more information about the application security best practices in the Splunk Developer Guide.

The log file that contains logs that are most relevant to Splunk Web is web_service.log. This log file records information about the web server that runs Splunk Web, such as requests, responses, errors, and performance. The other log files contain logs that are related to other aspects of Splunk, such as audit.log for security events, metrics.log for performance metrics, and splunkd.log for Splunk daemon activity. For more information, see [About Splunk log files].

The navigation options that will be displayed to the end user are Search, Datasets, and Dashboards. This is because the local file overrides the default file, and the local file does not include the Reports view. For more information, see Configure navigation.

 The correct answer is B and D, because they are the ways to optimize the searches in the dashboard. A dashboard is a user interface that displays data from one or more searches in various panels, such as charts, tables, or maps. Optimizing the searches in the dashboard helps to improve the dashboard performance, reduce the load on the Splunk server, and enhance the user experience. Restricting the time range of the search as much as possible and converting the common SPL into a Global Search and converting the other searches to post-processing searches are both methods to optimize the searches in the dashboard by limiting the amount of data to be searched or processed. Converting searches to include NOT expressions and replacing | stats command with | transaction command wherever possible are not methods to optimize the searches in the dashboard, but rather ways to change the search logic or functionality, which might not produce the desired results.

The correct answer is B, because the element will unset a token named my_token. The element is used to remove the value of a token based on a user interaction, such as a click or a change. The token attribute specifies the name of the token to be unset. The other options are incorrect because they will not unset a token named my_token. The myt​oken element is invalid, because the token name should not be enclosed in dollar signs. The false and disabled elements will not unset the token, but set its value to false or disabled, respectively.

 The correct answer is B because when calling the serviceNS endpoint, you must specify the user and app context in the URI. The serviceNS endpoint is a REST endpoint that allows you to access the Splunk service for a specific namespace. The namespace is a combination of the user and the app context, which determine the scope and visibility of the knowledge objects in Splunk. The serviceNS endpoint requires you to specify the user and app context in the URI, such as /servicesNS/{user}/{app}. Option A is incorrect because you do not need to authenticate with an admin user, but rather with the user of the required context. Option C is incorrect because you do not need to authenticate with the user of the required context, but rather with any valid user. Option D is incorrect because you do not need to pass the user and app context in the request payload, but rather in the URI. You can find more information about the serviceNS endpoint and the namespace in the Splunk REST API Reference Manual.

The correct answer is C, because /storage/collections/data/sales/smith is the REST endpoint to delete the record with a _key value of smith from the sales collection. The /storage/collections/data endpoint is used to access the KV Store data collections. The sales collection is the name of the collection, and smith is the _key value of the record to be deleted.