Splunk Certified Developer Certification SPLK-2001 Sample Questions Reliable [Q33-Q57]

Splunk Certified Developer Certification SPLK-2001 Sample Questions Reliable

Prepare for the Actual Splunk Certified Developer SPLK-2001 Exam Practice Materials Collection

NEW QUESTION # 33
Which HTTP Event Collector (HEC) endpoint should be used to collect data in the following format?
{"message":"Hello World", "foo":"bar", "pony":"buttercup"}

• A. services/collector/raw
• B. data/inputs/http/{name}
• C. services/collector
• D. data/inputs/http

Answer: A

NEW QUESTION # 34
Which of the following are valid request arguments for the REST search endpoints? (Select all that apply.)

• A. latest_time=rt
• B. earliest_time=-5h@h
• C. latest_time=now
• D. earliest_time=rt_10m@m

Answer: B,C

NEW QUESTION # 35
Given the following two files defining app navigation, which navigation options will be displayed to the end user? (Select all that apply.)
$SPLUNK_HOME/etc/apps/app_name/default/data/ui/nav/default.xml
<nav search_view="search" color="#65A637">
<view name="search" default='true' />
<view name="datasets" />
<view name="reports" />
<view name="dashboards" />
</nav>
$SPLUNK_HOME/etc/apps/app_name/local/data/ui/nav/default/xml
<nav search_view="search" color="#65A637">
<view name="search" default='true' />
<view name="datasets" />
<view name="dashboards" />
</nav>

• A. Reports
• B. Datasets
• C. Search
• D. Dashboards

Answer: B,C,D

Explanation:
Explanation
The navigation options that will be displayed to the end user are Search, Datasets, and Dashboards. This is because the local file overrides the default file, and the local file does not include the Reports view. For more information, see Configure navigation.

NEW QUESTION # 36
Log files related to Splunk REST calls can be found in which indexes? (Select all that apply.)

• A. _thefishbucket
• B. _blocksignature
• C. _audit
• D. _internal

Answer: C,D

Explanation:
Explanation
The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

NEW QUESTION # 37
Consider the following Python code snippet used in a Splunk add-on:
if not os.path.exists(full_path): self.doAction(full_path, header) else: f = open (full_path) oldORnew = f.readline().split(",") f.close() An attacker could create a denial of service by causing an error in either the open() or readline() commands. What type of vulnerability is this?

• A. CWE-404: Improper Resource Shutdown or Release
• B. CWE-562: Return of Stack Variable Address
• C. CWE-693: Protection Mechanism Failure
• D. CWE-636: Not Failing Securely ('Failing Open')

Answer: A

Explanation:
Explanation
The type of vulnerability in the Python code snippet is CWE-404: Improper Resource Shutdown or Release.
This vulnerability occurs when a resource is not released or closed properly after use, which can lead to resource exhaustion or unexpected behavior. In this case, the open() and readline() commands could fail to close the file handle, which could prevent other processes from accessing the file or cause a memory leak. The other types of vulnerabilities are not relevant to this scenario. For more information, see CWE-404: Improper Resource Shutdown or Release.

NEW QUESTION # 38
Which of the following are security best practices for Splunk app development? (Select all that apply.)

• A. Implement security in software development lifecycle.
• B. Use a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities.
• C. Store passwords in clear text in .conf files.
• D. Manually test application with the controls listed in the OWASP Security Testing Guide.

Answer: A,B,D

Explanation:
Explanation
The correct answer is B, C, and D, because they are all security best practices for Splunk app development.
Storing passwords in clear text in .conf files is not a security best practice, because it exposes the passwords to unauthorized access or leakage. Implementing security in software development lifecycle means applying security principles and practices throughout the app development process, from design to deployment.
Manually testing application with the controls listed in the OWASP Security Testing Guide helps to identify and mitigate common security risks and vulnerabilities in web applications. Using a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities helps to automate the security testing and find potential issues that might be missed by manual testing.

NEW QUESTION # 39
Which of the following formats are valid for a Splunk REST URI?

• A. host:port/endpoint
• B. $SPLUNK HOME/services/endpoint
• C. scheme://host/servicesNS/*/
• D. scheme://host:port/services/endpoint

Answer: D

NEW QUESTION # 40
What application security best practices should be adhered to while developing an app for Splunk? (Select all that apply.)

• A. Review the OWASP Top Ten List.
• B. Store passwords in clear text in .conf files.
• C. Review the OWASP Secure Coding Practices Quick Reference Guide.
• D. Ensure that third-party libraries that the app depends on have no outstanding CVE vulnerabilities.

Answer: A,C

NEW QUESTION # 41
When the search/jobs REST endpoint is called to execute a search, what can be done to reduce the results size in the results? (Select all that apply.)

• A. Remove unneeded fields.
• B. Truncate the data, using selective functions.
• C. Use a generating search.
• D. Summarize data, using analytic commands.

Answer: A,C

NEW QUESTION # 42
Which of these URLs could be used to construct a REST request to search the employee KV store collection to find records with a rating greater than or equal to 2 and less than 5?

• A. 'http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={$and:[{rating:{$gte:2}},{rating:{$lt:5}}]}
  &output_mode-json'
• B. 'http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22$and%22:[{%22rating%22:{%22$gte%22:2}},{%22rating%22:{%
  22$lt%22:5}}]}
  &output_mode=json'
• C. 'http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22rating%22:{%22$gte%22:2}},{%22$and%22},{%22rating%22:{%
  22$lt%22:5}}}
  &output_mode=json'
• D. 'http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={$and:[{rating:$gte:2}},{rating:{$lt:5}}]}
  &output_mode=json'

Answer: B

Explanation:
Explanation
The
URL that could be used to construct a REST request to search the employee KV Store collection to find records with a rating greater than or equal to 2 and less than 5 is
'http://localhost:8089/servicesNS/nobody/search/storage/collections/data/ employees?query={%22$and%22:[{%22rating%22:{%22$gte%22:2}},{%22rating%22:{% 22$lt%22:5}}]}
&output_mode=json'. This URL uses the query parameter with a valid JSON expression that specifies the rating criteria, and the output_mode parameter with a value of json to return the results in JSON format. The other URLs are either invalid or use incorrect syntax for the query parameter. For more information, see Search a KV Store collection.

NEW QUESTION # 43
A KV store collection can be associated with a namespace for which of the following users?

• A. Users in the admin role.
• B. Nobody
• C. Users in the admin, power, and splunk-system-user roles.
• D. Users in the admin and power roles.

Answer: A

NEW QUESTION # 44
There is a global search named "global_search" defined on a form as shown below:
<search id="global_search">
<query>
index-_internal source-*splunkd.log | stats count by component, log_level
</query>
</search>
Which of the following would be a valid post-processing search? (Select all that apply.)

• A. sourcetype=mysourcetype
• B. | tstats count
• C. stats sum(count) AS count by log level
• D. search log_level=error | stats sum(count) AS count by component

Answer: C,D

NEW QUESTION # 45
Which of the following endpoints is used to authenticate with the Splunk REST API?

• A. /services/session/login
• B. /services/auth/session/login
• C. /services/auth/login
• D. /servicesNS/authentication/login

Answer: C

Explanation:
Explanation
The endpoint that is used to authenticate with the Splunk REST API is /services/auth/login. This endpoint returns a session key that can be used for subsequent requests to the Splunk REST API. The other endpoints are either invalid or used for different purposes. For more information, see Authenticate with the Splunk REST API.

NEW QUESTION # 46
In a DELETE request, what would omitting the value of _key from the REST endpoint do?

• A. Cause all records in a collection to be deleted.
• B. Clean the KV store, deleting all content.
• C. Mean that the _key value must be passed as an argument.
• D. Produce the syntax error "Key value missing".

Answer: A

Explanation:
Explanation
The correct answer is C, because omitting the value of _key from the REST endpoint would cause all records in a collection to be deleted. The _key is a unique identifier for each record in a KV Store collection. The REST endpoint for deleting a record from a collection is /storage/collections/data/<collection>/<key>, where
<collection> is the name of the collection and <key> is the value of _key. If the <key> is omitted, the REST endpoint becomes /storage/collections/data/<collection>, which deletes all records in the collection. The other options are incorrect because they are not the consequences of omitting the value of _key from the REST endpoint. Cleaning the KV store, deleting all content would require deleting all collections, not just one.
Producing the syntax error "Key value missing" would not happen, because the REST endpoint is valid without the <key> value. Meaning that the _key value must be passed as an argument would not make sense, because the argument is the same as the <key> value in the REST endpoint.

NEW QUESTION # 47
Which of the following are valid parent elements for the event action shown below? (Select all that apply.)
<set token="Token Name">sourcetype=$click.value|s$</set>

• A. <change>
• B. <drilldown>
  <condition>
• C. <change>
  <condition>
• D. <eval>

Answer: A,B,C

Explanation:
Explanation
The correct answer is B, C, and D, because they are all valid parent elements for the event action shown below. The event action is a <set> element, which is used to set the value of a token based on a user interaction, such as a click or a change. The <set> element can be nested inside a <change>, a <condition>, or a <drilldown> element, depending on the type and context of the event. The <eval> element is not a valid parent element for the <set> element, but a sibling element that can be used to evaluate an expression and set the value of a token.

NEW QUESTION # 48
How can event logs be collected from a remote Windows machine using a standard Splunk installation and no customization? (Select all that apply.)

• A. By using HTTP event collector.
• B. By using a Windows universal forwarder.
• C. By using a Windows heavy forwarder.
• D. By configuring a WMI input.

Answer: B,D

Explanation:
Explanation
The correct answer is A and D, because configuring a WMI input and using a Windows universal forwarder are the ways to collect event logs from a remote Windows machine using a standard Splunk installation and no customization. WMI input is a type of input that collects Windows Management Instrumentation (WMI) data from remote Windows machines. Windows universal forwarder is a lightweight version of Splunk that can forward data from Windows machines to Splunk indexers.

NEW QUESTION # 49
Which files within an app contain permissions information? (Select all that apply.)

• A. metadata/default.meta
• B. default/metadata.conf
• C. local/metadata.conf
• D. metadata/local.meta

Answer: A,D

Explanation:
Explanation
The correct answer is B and D, because they are the files within an app that contain permissions information.
Permissions information refers to the access control settings for the app, such as who can read and write to the app, and whether the app is visible to all users or only to the app owner. The files that contain permissions information are the metadata/local.meta and metadata/default.meta files, which are located in the metadata folder of the app. The local/metadata.conf and default/metadata.conf files do not exist, and are not valid configuration files for an app.

NEW QUESTION # 50
Using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in which directory?

• A. $SPLUNK_HOME/etc/system/default/
• B. $SPLUNK_HOME/etc/apps/myApp/default
• C. $SPLUNK_HOME/etc/apps/myApp/local
• D. $SPLUNK_HOME/etc/system/local

Answer: C

NEW QUESTION # 51
A user wants to add the token $token_name$ to a dashboard for use in a drilldown. Which token filter encodes URL values?

• A. $token_name|h$
• B. $$token_name$$
• C. $token_name|u$
• D. $token_name|n$

Answer: C

NEW QUESTION # 52
Which items below are configured in inputs.conf? (Select all that apply.)

• A. A custom search command written in Python.
• B. An HTTP Event Collector as receiver of data from an app.
• C. A file input monitoring a JSON file.
• D. A modular input written in Python.

Answer: B,C,D

Explanation:
Explanation
The correct answer is A, B, and D, because they are all items that can be configured in inputs.conf. Inputs.conf is a configuration file that defines how Splunk ingests data from various sources, such as files, directories, network ports, scripts, or modular inputs. A modular input written in Python is a type of input that allows Splunk to ingest data from a custom source using a Python script. A file input monitoring a JSON file is a type of input that allows Splunk to monitor a file or directory for new or updated data in JSON format. An HTTP Event Collector as receiver of data from an app is a type of input that allows Splunk to receive data from an app via HTTP or HTTPS requests. A custom search command written in Python is not an item that can be configured in inputs.conf, but in commands.conf.

NEW QUESTION # 53
Suppose the following query in a Simple XML dashboard returns a table including hyperlinks:
<search>
<query>index news sourcetype web_proxy | table sourcetype title link
</query>
</search>
Which of the following is a valid dynamic drilldown element to allow a user of the dashboard to visit the hyperlinks contained in the link field?

• A. <option name "link.openSearch.viewTarget">$row.link$</option>
• B. <drilldown>
  <link target="_blank">$row.link|n$</link>
  </drilldown>
• C. <drilldown>
  <link target=" blank">$$row.link$$</link>
  </drilldown>
• D. <drilldown>
  <link target "_blank">http://localhost:8000/debug/refresh</link>
  </drilldown>

Answer: B

Explanation:
Explanation
It uses the $row.field|n$ syntax to reference the value of the link field in each row of the table. This syntax is used to create dynamic links in Simple XML dashboards. The other options are incorrect because they either use invalid syntax or do not reference the link field correctly. You can find more information about dynamic drill-downs and link syntax in the Splunk Developer Guide.

NEW QUESTION # 54
Given the following two files defining app navigation, which navigation options will be displayed to the end user? (Select all that apply.)
$SPLUNK_HOME/etc/apps/app_name/default/data/ui/nav/default.xml
<nav search_view="search" color="#65A637">
<view name="search" default='true' />
<view name="datasets" />
<view name="reports" />
<view name="dashboards" />
</nav>
$SPLUNK_HOME/etc/apps/app_name/local/data/ui/nav/default/xml
<nav search_view="search" color="#65A637">
<view name="search" default='true' />
<view name="datasets" />
<view name="dashboards" />
</nav>

• A. Dashboards
• B. Search
• C. Datasets
• D. Reports

Answer: C,D

NEW QUESTION # 55
How can indexer acknowledgement be enabled for HTTP Event Collector (HEC)? (Select all that apply.)

• A. When a new HEC token is created in Splunk Web, select the checkbox labeled "Enable indexer acknowledgment".
• B. No need to do anything, it is turned on by default.
• C. When the Global Settings for HEC are updated in Splunk Web, select the checkbox labeled "Enable indexer acknowledgement".
• D. When a REST request is sent to create a token, the property for indexer acknowledgment must be set to
  1.

Answer: A,C,D

Explanation:
Explanation
The correct answer is B, C, and D because these are the ways to enable indexer acknowledgement for HTTP Event Collector (HEC). Indexer acknowledgement is a feature that ensures that the data sent to HEC is successfully indexed by Splunk before deleting it from the sender. Option B is correct because you can use a REST request to create a token with the indexer_ack property set to 1. Option C is correct because you can select the checkbox labeled "Enable indexer acknowledgment" when creating a new HEC token in Splunk Web. Option D is correct because you can select the checkbox labeled "Enable indexer acknowledgment" when updating the Global Settings for HEC in Splunk Web. Option A is incorrect because indexer acknowledgment is not turned on by default. You can find more information about indexer acknowledgment for HEC in the Splunk Developer Guide.

NEW QUESTION # 56
When updating a knowledge object via REST, which of the following are valid values for the sharing Access Control List property?

• A. Global
• B. Nobody
• C. App
• D. User

Answer: A,B,C

Explanation:
Explanation
The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the Splunk REST API Reference Manual.

NEW QUESTION # 57
......

Ace Splunk SPLK-2001 Certification with Actual Questions Dec 24, 2023 Updated: https://lead2pass.guidetorrent.com/SPLK-2001-dumps-questions.html