SPLK-2001 Splunk Certified Developer Exam Questions and Answers

The correct answer is A because the tstats command is a generating command. A generating command is a type of command that does not require a base search and can generate results from the summary data or the raw data. The tstats command is a generating command that can retrieve statistical information from the summary data, such as the accelerated data models or the data model summaries. The tstats command is similar to the stats command, but it is faster and more efficient, as it does not need to scan the raw data. The other options are incorrect because they are not the type of command that tstats is. Option B is incorrect because a transforming command is a type of command that converts the results into a data table with rows and columns. Option C is incorrect because a centralized streaming command is a type of command that processes the results on the search head, not on the indexers. Option D is incorrect because a distributable streaming command is a type of command that processes the results on the indexers, not on the search head. You can find more information about the tstats command and the types of commands in the  Splunk Developer Guide .

The valid format for a Splunk REST URI is scheme://host:port/services/endpoint. This format specifies the scheme (http or https), the host (the Splunk server name or IP address), the port (the Splunk management port, usually 8089), the services prefix (which indicates a Splunk REST endpoint), and the endpoint (the specific resource or action to access). The other formats are either incomplete or invalid. For more information, see  About the Splunk REST API .

The correct answer is A because the namespace is a type of token filter. The namespace is a parameter that can be used to filter the tokens returned by the REST API. The namespace consists of the user and the app context, which determine the scope and visibility of the knowledge objects in Splunk. Option B is incorrect because the namespace can include a wildcard (*) for the app attribute, which means it will return tokens from all apps. Option C is incorrect because the namespace does not filter the knowledge objects returned by the REST API, but rather the tokens that reference them. Option D is incorrect because the namespace does filter the tokens returned by the REST API, based on the user and app context. You can find more information about the namespace and the token filter in the  Splunk REST API Reference Manual .

The valid request arguments for the REST search endpoints are latest_time=now and earliest_time=-5h@h. These arguments specify the time range for the search, using relative or absolute time modifiers. The other arguments are invalid because they use rt (real-time) modifiers, which are not supported by the REST search endpoints. For more information, see [Specify time modifiers in your search].

 The correct answer is A and B because these are the ways to get a list of search jobs. Option A is correct because you can access the Activity > Jobs page in Splunk Web to see the list of search jobs that you have run or that are shared with you. Option B is correct because you can use Splunk REST to query the /services/search/jobs endpoint to get a list of search jobs. Option C is incorrect because the /services/saved/searches endpoint returns a list of saved searches, not search jobs. Option D is incorrect because the /services/search/sid/results endpoint returns the results of a specific search job, not a list of search jobs. You can find more information about search jobs and their endpoints in the  Splunk REST API Reference Manual .

The correct answer is A because the namespace is a combination of the user and the app. The namespace determines the scope and visibility of the knowledge objects in Splunk. The role, the sharing level, and the permissions are not part of the namespace, but they affect the access to the knowledge objects. You can find more information about the namespace and the knowledge objects in the  Splunk Developer Guide .

The navigation options that will be displayed to the end user are Search, Datasets, and Dashboards. This is because the local file overrides the default file, and the local file does not include the Reports view. For more information, see  Configure navigation .

 By using visualization drilldown, you can hide or show a panel by clicking on a chart or a table on the same form. Visualization drilldown lets you define a drilldown action that affects a different panel on the same dashboard. You can use the  set  or  unset  tokens to control the visibility of the target panel. For more information, see  Visualization drilldown .

The correct answer is B, because an HTTP header field is an intended use of HTTP Event Collector tokens. An HTTP Event Collector token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC).  An HEC token can be specified in the Authorization header field of the HTTP request, using the format Authorization: Splunk < token >   2 . The other options are incorrect because they are not valid ways to use an HEC token. A cookie is a small piece of data stored by the web browser, not by Splunk. A JSON field in the HTTP request is used to specify the event data or metadata, not the HEC token. A password in conjunction with login is not related to HEC, but to Splunk Web or REST API authentication.

The token filter that encodes URL values is tokenn ​ ame ∣ u . This filter applies the URL encoding to the token value, which replaces special characters with percent-encoded characters. This is useful for passing token values as query parameters in a drilldown. The other token filters are either invalid or used for different purposes. For more information, see [Token filters] .

When output_mode is not used, the title element of a feed is a human readable name for a returned entry. The title element contains the name of the object, such as the name of a saved search or a dashboard. The other elements are not human readable names, but rather identifiers, links, or authors of the entry. For more information, see  Access Splunk data using feeds .

The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the  Splunk REST API Reference Manual .

The URL that could be used to construct a REST request to search the employee KV Store collection to find records with a rating greater than or equal to 2 and less than 5 is ‘http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22$and%22:[{%22rating%22:{%22$gte%22:2}},{%22rating%22:{% 22$lt%22:5}}]} & output_mode=json’. This URL uses the query parameter with a valid JSON expression that specifies the rating criteria, and the output_mode parameter with a value of json to return the results in JSON format. The other URLs are either invalid or use incorrect syntax for the query parameter. For more information, see  Search a KV Store collection .

When the same search is required from a REST API call, all the fields will be given, including _raw, name, sourcetype, and instantaneous_kbps. This is because the default output mode for the REST API is XML, which returns all the fields and values for each event. To limit the fields returned, you can use the output_mode parameter with a value of json_cols, json_rows, or csv. For more information, see  Access Splunk data using feeds .

The correct answer is A, B, and D because these are the statements that are true regarding HEC (HTTP Event Collector) tokens. HEC tokens are unique identifiers that are used to authenticate and authorize the data sent to HEC, which is a service that allows you to send data to Splunk via HTTP or HTTPS. Option A is correct because multiple tokens can be created for use with different sourcetypes and indexes, which are the attributes that define the data type and the location of the data in Splunk. Option B is correct because the edit token http admin role capability is required to create a token, which is a permission that allows the user to manage the HEC tokens. Option D is correct because tokens can be edited using the data/inputs/http/{tokenName} endpoint, which is a REST endpoint that allows you to update the properties of a specific HEC token. Option C is incorrect because to create a token, you need to send a POST request to the data/inputs/http endpoint, not the services/collector endpoint. The services/collector endpoint is used to send data to HEC, not to create tokens. You can find more information about HEC tokens and their endpoints in the  Splunk Developer Guide .

When added to an app’s default.meta file, export = system makes one of its views available to other apps. This means that the view is visible and searchable by all users. The other options are invalid because export = app means that the view is visible and searchable only within the app, export = none means that the view is not visible or searchable by any user, and export = view is not a valid value for the export attribute. For more information, see  About configuration file structure and inheritance .

The correct answer is B, C, and D, because they are all security best practices for Splunk app development. Storing passwords in clear text in .conf files is not a security best practice, because it exposes the passwords to unauthorized access or leakage. Implementing security in software development lifecycle means applying security principles and practices throughout the app development process, from design to deployment. Manually testing application with the controls listed in the OWASP Security Testing Guide helps to identify and mitigate common security risks and vulnerabilities in web applications. Using a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities helps to automate the security testing and find potential issues that might be missed by manual testing.

A KV store collection can be associated with a namespace for users in the admin, power, and splunk-system-user roles. These roles have the capability to create and manage KV store collections. The nobody user cannot access any KV store collection, and the users in the admin and power roles alone cannot access the collections in the splunk-system-user namespace. For more information, see  KV Store namespaces .