SPLK-2001 Sample Questions Answers

The correct answer is A and D, because configuring a WMI input and using a Windows universal forwarder are the ways to collect event logs from a remote Windows machine using a standard Splunk installation and no customization. WMI input is a type of input that collects Windows Management Instrumentation (WMI) data from remote Windows machines. Windows universal forwarder is a lightweight version of Splunk that can forward data from Windows machines to Splunk indexers.

 The correct answer is A, B, and C because these are the possible reasons why the dashboard is not seen after moving myApp to a different Splunk instance. Option A is correct because if the dashboard’s permissions were set to private, only the owner of the dashboard can see it on the new instance. Option B is correct because if the user role permissions are different on the new instance, the user may not have access to the dashboard. Option C is correct because if the admin deleted the myApp/local directory before packaging, the dashboard configuration may have been lost. Option D is incorrect because changes placed in $SPLUNK_HOME/etc/apps/search/default/data/ui/nav do not affect the visibility of the dashboard. You can find more information about dashboard permissions and configuration in the Splunk Developer Guide.

 Auto-refresh applies to inline searches and saved searches, and post-processing searches are refreshed when their base searches are refreshed. Enabling auto-refresh for a report does not require editing XML, but rather using the Edit Schedule option in the report menu. Each post-processing search using the same base search cannot have a different refresh time, but rather inherits the refresh time of the base search. For more information, see Set up auto-refresh for dashboard panels.

 The valid syntax for specifying an absolute time range modifier in a search is earliest=01/01/2019T00:00:00. The T character separates the date and time components. The other options are invalid because they use either a colon or a space instead of a T. For more information, see Specify time modifiers in your search.

The HTTP Event Collector (HEC) endpoint that should be used to collect data in the given format is services/collector/raw. This endpoint accepts raw data that is not formatted as JSON, such as plain text or XML. The data format is specified by the sourcetype parameter in the request. The other endpoints are either used for different purposes or do not exist. For more information, see Use the raw HEC endpoint.

The correct answer is A because the namespace is a type of token filter. The namespace is a parameter that can be used to filter the tokens returned by the REST API. The namespace consists of the user and the app context, which determine the scope and visibility of the knowledge objects in Splunk. Option B is incorrect because the namespace can include a wildcard (*) for the app attribute, which means it will return tokens from all apps. Option C is incorrect because the namespace does not filter the knowledge objects returned by the REST API, but rather the tokens that reference them. Option D is incorrect because the namespace does filter the tokens returned by the REST API, based on the user and app context. You can find more information about the namespace and the token filter in the Splunk REST API Reference Manual.

The correct answer is A because the namespace is a combination of the user and the app. The namespace determines the scope and visibility of the knowledge objects in Splunk. The role, the sharing level, and the permissions are not part of the namespace, but they affect the access to the knowledge objects. You can find more information about the namespace and the knowledge objects in the Splunk Developer Guide.

A Splunk custom visualization is a visualization that uses the Splunk Custom Visualization API. This API lets you create your own visualizations using JavaScript, HTML, and CSS. You can also use third-party libraries or frameworks to create custom visualizations. The other options are not custom visualizations, but rather variations of the built-in visualizations in Splunk. For more information, see [Custom visualizations overview].

The correct answer is C, because the snippet should be placed in the $APP_HOME/metadata/local.meta file. This file contains the app-level permissions for the app, such as who can read and write to the app, and whether the app is visible to all users or only to the app owner. The $APP_HOME/default/app.conf file contains the app-level settings, such as the app name, description, version, and dependencies. The $APP_HOME/local/default.meta file does not exist, and the $SPLUNK_HOME/etc/system/local/server.conf file contains the server-level settings, such as the hostname, port, SSL, and clustering.

The correct answer is B, because an HTTP header field is an intended use of HTTP Event Collector tokens. An HTTP Event Collector token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token can be specified in the Authorization header field of the HTTP request, using the format Authorization: Splunk  2. The other options are incorrect because they are not valid ways to use an HEC token. A cookie is a small piece of data stored by the web browser, not by Splunk. A JSON field in the HTTP request is used to specify the event data or metadata, not the HEC token. A password in conjunction with login is not related to HEC, but to Splunk Web or REST API authentication.

The correct answer is C and D, because they are both statements that describe an HEC token. An HEC token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token is a GUID (globally unique identifier), which is a 32-character hexadecimal string that is randomly generated. An HEC token can be created in Splunk Web or using REST endpoints, depending on the preference of the user. An HEC token does not map to a Splunk user, but to a specific index or set of indexes where the data will be stored. An HEC token cannot be used to download data, but only to send data to Splunk.

The correct answer is A, B, and D because these are the statements that are true regarding HEC (HTTP Event Collector) tokens. HEC tokens are unique identifiers that are used to authenticate and authorize the data sent to HEC, which is a service that allows you to send data to Splunk via HTTP or HTTPS. Option A is correct because multiple tokens can be created for use with different sourcetypes and indexes, which are the attributes that define the data type and the location of the data in Splunk. Option B is correct because the edit token http admin role capability is required to create a token, which is a permission that allows the user to manage the HEC tokens. Option D is correct because tokens can be edited using the data/inputs/http/{tokenName} endpoint, which is a REST endpoint that allows you to update the properties of a specific HEC token. Option C is incorrect because to create a token, you need to send a POST request to the data/inputs/http endpoint, not the services/collector endpoint. The services/collector endpoint is used to send data to HEC, not to create tokens. You can find more information about HEC tokens and their endpoints in the Splunk Developer Guide.

The URL that could be used to construct a REST request to search the employee KV Store collection to find records with a rating greater than or equal to 2 and less than 5 is ‘http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22$and%22:[{%22rating%22:{%22$gte%22:2}},{%22rating%22:{% 22$lt%22:5}}]} &output_mode=json’. This URL uses the query parameter with a valid JSON expression that specifies the rating criteria, and the output_mode parameter with a value of json to return the results in JSON format. The other URLs are either invalid or use incorrect syntax for the query parameter. For more information, see Search a KV Store collection.

 The correct answer is B, C, and D, because they are all valid parent elements for the event action shown below. The event action is a element, which is used to set the value of a token based on a user interaction, such as a click or a change. The element can be nested inside a , a , or a element, depending on the type and context of the event. The element is not a valid parent element for the element, but a sibling element that can be used to evaluate an expression and set the value of a token.

 The correct answer is A, B, and C, because they are all ways to monitor app performance. App performance refers to how well an app performs its intended functions, such as data ingestion, search, visualization, and alerting. Monitoring app performance helps to identify and troubleshoot issues, optimize performance, and improve user experience. Using Splunk logs, using the search job inspector, and using the Monitoring Console are all methods to monitor app performance by collecting and analyzing various metrics and data related to the app. Using the storage/collections/config REST endpoint is not a way to monitor app performance, but a way to configure the KV Store collections for an app.

The correct answer is B, C, and D, because they are all security best practices for Splunk app development. Storing passwords in clear text in .conf files is not a security best practice, because it exposes the passwords to unauthorized access or leakage. Implementing security in software development lifecycle means applying security principles and practices throughout the app development process, from design to deployment. Manually testing application with the controls listed in the OWASP Security Testing Guide helps to identify and mitigate common security risks and vulnerabilities in web applications. Using a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities helps to automate the security testing and find potential issues that might be missed by manual testing.

 The correct answer is A and B, because for a KV Store, a lookup stanza in the transforms.conf file must contain the collection and fields_list attributes. A lookup stanza is a configuration section in the transforms.conf file that defines the properties of a lookup, such as the lookup type, the lookup file or collection, the input and output fields, and the match type. A lookup is a feature that allows Splunk to enrich the events with additional data from an external source, such as a CSV file or a KV Store collection. For a KV Store lookup, the lookup stanza must have the collection attribute, which specifies the name of the KV Store collection to use, and the fields_list attribute, which specifies the fields to return from the KV Store collection2. The external_type and internal_type attributes are not required for a KV Store lookup, but for a scripted lookup, which is a type of lookup that uses an external script to perform the lookup operation.

The correct answer is B, C, and D, because they are all ways to reduce the results size in the results when the search/jobs REST endpoint is called to execute a search. The search/jobs REST endpoint is used to create, manage, and control search jobs in Splunk. The results size in the results refers to the amount of data returned by the search job, which can affect the performance and efficiency of the search. Removing unneeded fields, truncating the data using selective functions, and summarizing the data using analytic commands are all methods to reduce the results size by filtering, limiting, or aggregating the data. Using a generating search is not a way to reduce the results size, but a way to create a search job that does not use the index, but instead generates its own data3.