SPLK-2001 Practice Exam Questions with Answers Splunk Certified Developer Exam Certification

 The correct answer is B, C, and D, because they are all valid parent elements for the event action shown below. The event action is a element, which is used to set the value of a token based on a user interaction, such as a click or a change. The element can be nested inside a , a , or a element, depending on the type and context of the event. The element is not a valid parent element for the element, but a sibling element that can be used to evaluate an expression and set the value of a token.

 The correct answer is A because using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in the $SPLUNK_HOME/etc/apps/myApp/local directory. The local directory is where Splunk stores the configuration files that are modified by the user, either through Splunk Web or by editing the files directly. The local directory has the highest priority in the configuration layering scheme, which means it overrides the settings in the default directory. The other options are incorrect because they either use the wrong directory or the wrong priority. You can find more information about the configuration files and the configuration layering scheme in the Splunk Developer Guide.

The correct answer is B, C, and D, because they are all ways to reduce the results size in the results when the search/jobs REST endpoint is called to execute a search. The search/jobs REST endpoint is used to create, manage, and control search jobs in Splunk. The results size in the results refers to the amount of data returned by the search job, which can affect the performance and efficiency of the search. Removing unneeded fields, truncating the data using selective functions, and summarizing the data using analytic commands are all methods to reduce the results size by filtering, limiting, or aggregating the data. Using a generating search is not a way to reduce the results size, but a way to create a search job that does not use the index, but instead generates its own data3.

 The correct answer is A and B because these are the ways to get a list of search jobs. Option A is correct because you can access the Activity > Jobs page in Splunk Web to see the list of search jobs that you have run or that are shared with you. Option B is correct because you can use Splunk REST to query the /services/search/jobs endpoint to get a list of search jobs. Option C is incorrect because the /services/saved/searches endpoint returns a list of saved searches, not search jobs. Option D is incorrect because the /services/search/sid/results endpoint returns the results of a specific search job, not a list of search jobs. You can find more information about search jobs and their endpoints in the Splunk REST API Reference Manual.

The navigation options that will be displayed to the end user are Search, Datasets, and Dashboards. This is because the local file overrides the default file, and the local file does not include the Reports view. For more information, see Configure navigation.

The correct answer is A, because the correct post-process syntax for the base search shown below is var mypostproc1 = new PostProcessManager {{ id: “post1”, managerid: “base-search”, search: “| stats count by sourcetype” }}. The PostProcessManager is a JavaScript object that creates a post-process search that runs on the results of a base search. The PostProcessManager requires three parameters: id, managerid, and search. The id is a unique identifier for the post-process search. The managerid is the id of the base search that the post-process search depends on. The search is the post-process search string that runs on the base search results. The other options are incorrect because they either use the wrong managerid, the wrong object name, or the wrong search string.

When output_mode is not used, the title element of a feed is a human readable name for a returned entry. The title element contains the name of the object, such as the name of a saved search or a dashboard. The other elements are not human readable names, but rather identifiers, links, or authors of the entry. For more information, see Access Splunk data using feeds.

 The correct answer is A, B, and C, because they are all ways to monitor app performance. App performance refers to how well an app performs its intended functions, such as data ingestion, search, visualization, and alerting. Monitoring app performance helps to identify and troubleshoot issues, optimize performance, and improve user experience. Using Splunk logs, using the search job inspector, and using the Monitoring Console are all methods to monitor app performance by collecting and analyzing various metrics and data related to the app. Using the storage/collections/config REST endpoint is not a way to monitor app performance, but a way to configure the KV Store collections for an app.

 The correct answer is B and D, because they are the files within an app that contain permissions information. Permissions information refers to the access control settings for the app, such as who can read and write to the app, and whether the app is visible to all users or only to the app owner. The files that contain permissions information are the metadata/local.meta and metadata/default.meta files, which are located in the metadata folder of the app. The local/metadata.conf and default/metadata.conf files do not exist, and are not valid configuration files for an app.

 The element in a successful Splunk REST call response contains metadata encapsulating the element. The metadata includes information such as the title, author, updated time, and links of the entry. The content element contains the fields and values of the entry, such as the name, description, and configuration. The other options are either incorrect or not part of the element. For more information, see Access Splunk data using feeds.

The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the Splunk REST API Reference Manual.

The correct answer is B, because the element will unset a token named my_token. The element is used to remove the value of a token based on a user interaction, such as a click or a change. The token attribute specifies the name of the token to be unset. The other options are incorrect because they will not unset a token named my_token. The myt?oken element is invalid, because the token name should not be enclosed in dollar signs. The false and disabled elements will not unset the token, but set its value to false or disabled, respectively.

The token filter that encodes URL values is tokenn?ame?u. This filter applies the URL encoding to the token value, which replaces special characters with percent-encoded characters. This is useful for passing token values as query parameters in a drilldown. The other token filters are either invalid or used for different purposes. For more information, see [Token filters].

The requirements for arguments sent to the data/indexes endpoint are to specify the datatype and include the name argument. The datatype argument specifies the type of data that is being indexed, such as event, metric, or http. The name argument specifies the name of the index that is being created or updated. The other arguments are either optional or invalid. For more information, see Create an index.

The correct answer is A, B, and C because these are the benefits of using Simple XML Extensions. Simple XML Extensions allow you to customize the appearance and behavior of your dashboards by adding custom layouts, graphics, and behaviors. You can also use JavaScript and CSS to enhance your dashboards. Option D is incorrect because Simple XML Extensions do not affect the Splunk license consumption based on host. You can find more information about Simple XML Extensions in the Splunk Developer Guide.

The correct answer is A, because visualization event handler uses the element to support pan and zoom functionality. Visualization event handler is a type of event handler that enables you to interact with custom visualizations3. The element defines the behavior of the visualization when the user selects a region of the chart. It supports attributes such as pan and zoom4.