SPLK-2001 Splunk Certified Developer Exam Questions and Answers

The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

The correct answer is B because the best way to identify processor bottlenecks of a search is to use the search job inspector. The search job inspector is a tool that provides detailed information about the performance and resource consumption of a search job, such as CPU time, memory usage, scan count, and event count. The search job inspector can help you identify which parts of your search are causing processor bottlenecks and how to optimize them. Option A is incorrect because using the REST API does not provide as much information as the search job inspector. Option C is incorrect because using the Splunk Monitoring Console does not provide information about individual search jobs, but rather about the overall health and performance of your Splunk deployment. Option D is incorrect because searching the Splunk logs using index=“internal” does not provide information about processor bottlenecks, but rather about errors and warnings that occurred during the search execution. You can find more information about the search job inspector in the Splunk Developer Guide.

It uses the $row.field|n$ syntax to reference the value of the link field in each row of the table. This syntax is used to create dynamic links in Simple XML dashboards. The other options are incorrect because they either use invalid syntax or do not reference the link field correctly. You can find more information about dynamic drill-downs and link syntax in the Splunk Developer Guide.

 The reserved field names in a KV Store are _key and _user. The _key field is a unique identifier for each record in a KV Store collection, and the _user field is the owner of the record. The other fields are not reserved, and can be used as custom fields in a KV Store collection. For more information, see KV Store field names.

When added to an app’s default.meta file, export = system makes one of its views available to other apps. This means that the view is visible and searchable by all users. The other options are invalid because export = app means that the view is visible and searchable only within the app, export = none means that the view is not visible or searchable by any user, and export = view is not a valid value for the export attribute. For more information, see About configuration file structure and inheritance.

The correct answer is A, B, and C because these are the benefits of using Simple XML Extensions. Simple XML Extensions allow you to customize the appearance and behavior of your dashboards by adding custom layouts, graphics, and behaviors. You can also use JavaScript and CSS to enhance your dashboards. Option D is incorrect because Simple XML Extensions do not affect the Splunk license consumption based on host. You can find more information about Simple XML Extensions in the Splunk Developer Guide.

The correct answer is A, B, and D because these are the statements that are true regarding HEC (HTTP Event Collector) tokens. HEC tokens are unique identifiers that are used to authenticate and authorize the data sent to HEC, which is a service that allows you to send data to Splunk via HTTP or HTTPS. Option A is correct because multiple tokens can be created for use with different sourcetypes and indexes, which are the attributes that define the data type and the location of the data in Splunk. Option B is correct because the edit token http admin role capability is required to create a token, which is a permission that allows the user to manage the HEC tokens. Option D is correct because tokens can be edited using the data/inputs/http/{tokenName} endpoint, which is a REST endpoint that allows you to update the properties of a specific HEC token. Option C is incorrect because to create a token, you need to send a POST request to the data/inputs/http endpoint, not the services/collector endpoint. The services/collector endpoint is used to send data to HEC, not to create tokens. You can find more information about HEC tokens and their endpoints in the Splunk Developer Guide.

The valid format for a Splunk REST URI is scheme://host:port/services/endpoint. This format specifies the scheme (http or https), the host (the Splunk server name or IP address), the port (the Splunk management port, usually 8089), the services prefix (which indicates a Splunk REST endpoint), and the endpoint (the specific resource or action to access). The other formats are either incomplete or invalid. For more information, see About the Splunk REST API.

When output_mode is not used, the title element of a feed is a human readable name for a returned entry. The title element contains the name of the object, such as the name of a saved search or a dashboard. The other elements are not human readable names, but rather identifiers, links, or authors of the entry. For more information, see Access Splunk data using feeds.

 The correct answer is B and D, because they are the files within an app that contain permissions information. Permissions information refers to the access control settings for the app, such as who can read and write to the app, and whether the app is visible to all users or only to the app owner. The files that contain permissions information are the metadata/local.meta and metadata/default.meta files, which are located in the metadata folder of the app. The local/metadata.conf and default/metadata.conf files do not exist, and are not valid configuration files for an app.

The Splunk REST endpoint that is used to create a KV store collection is /storage/collections/config. This endpoint lets you create, update, or delete a KV store collection. The other endpoints are either invalid or used for different purposes. For more information, see Use the Splunk REST API to access the KV Store.

 The correct answer is A because using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in the $SPLUNK_HOME/etc/apps/myApp/local directory. The local directory is where Splunk stores the configuration files that are modified by the user, either through Splunk Web or by editing the files directly. The local directory has the highest priority in the configuration layering scheme, which means it overrides the settings in the default directory. The other options are incorrect because they either use the wrong directory or the wrong priority. You can find more information about the configuration files and the configuration layering scheme in the Splunk Developer Guide.

 The containers that are included in the Atom Feed response when using the Splunk REST API are , , and . The feed container represents the entire response, the entry container represents each individual result, and the content container represents the fields and values of each result. The namespace container is not included in the Atom Feed response, but rather in the XML namespace declaration. For more information, see Access Splunk data using feeds.

The correct answer is C, because the snippet should be placed in the $APP_HOME/metadata/local.meta file. This file contains the app-level permissions for the app, such as who can read and write to the app, and whether the app is visible to all users or only to the app owner. The $APP_HOME/default/app.conf file contains the app-level settings, such as the app name, description, version, and dependencies. The $APP_HOME/local/default.meta file does not exist, and the $SPLUNK_HOME/etc/system/local/server.conf file contains the server-level settings, such as the hostname, port, SSL, and clustering.

The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the Splunk REST API Reference Manual.

The correct answer is C, because omitting the value of _key from the REST endpoint would cause all records in a collection to be deleted. The _key is a unique identifier for each record in a KV Store collection. The REST endpoint for deleting a record from a collection is /storage/collections/data//, where is the name of the collection and is the value of _key. If the is omitted, the REST endpoint becomes /storage/collections/data/, which deletes all records in the collection. The other options are incorrect because they are not the consequences of omitting the value of _key from the REST endpoint. Cleaning the KV store, deleting all content would require deleting all collections, not just one. Producing the syntax error “Key value missing” would not happen, because the REST endpoint is valid without the value. Meaning that the _key value must be passed as an argument would not make sense, because the argument is the same as the value in the REST endpoint.

The HTTP Event Collector (HEC) endpoint that should be used to collect data in the given format is services/collector/raw. This endpoint accepts raw data that is not formatted as JSON, such as plain text or XML. The data format is specified by the sourcetype parameter in the request. The other endpoints are either used for different purposes or do not exist. For more information, see Use the raw HEC endpoint.

A KV store collection can be associated with a namespace for users in the admin, power, and splunk-system-user roles. These roles have the capability to create and manage KV store collections. The nobody user cannot access any KV store collection, and the users in the admin and power roles alone cannot access the collections in the splunk-system-user namespace. For more information, see KV Store namespaces.