Question 1

Searching “index=_internal metrics | head 3” from Splunk Web returned the following events:
04-12-2018
18:39:43.514
+0200
INFO
Metrics
–
group=thruput,
name=thruput,
instantaneous_kbps=0.9651774014563425,
instantaneous_eps=5.645638802094809,
average_kbps=1.198995639527069,
total_k_processed=2676,
kb=29.91796875,
ev=175,
load_average=3.85888671875
04-12-2018
18:39:43.514
+0200
INFO
Metrics
–
group_thruput,
name_syslog_output,
instantaneous_kbps=0, instantaneous_eps_0, average_kbps=0, total_k_processed=0, kb=0, ev=0
04-12-2018
18:39:43.513
+0200
INFO
Metrics
–
group_thruput,
name_index_thruput,
instantaneous_kbps=0.9651773703189551,
instantaneous_eps=4.87137960922438,
average_kbps=1.1985932324065556, total_k_processed=2675, kb=29.91796875, ev=151
When the same search is required from a REST API call, which fields will be given? (Select all that
apply.)

Accepted Answer

A, B, C, D

Explanation: By default, the Splunk REST API endpoint used to retrieve search results (/services/search/jobs/{searchid}/results) returns all fields that are extracted for each event. This includes the raw event data (raw), default metadata fields (such as sourcetype), and all fields extracted at search time. For the given metrics events, fields like name and instantaneouskbps are extracted from the key-value pairs within the raw data. Therefore, without any specific parameters to limit the field list in the API call, all listed fields will be included in the response for each event.

Question 2

In order to successfully accelerate a report, which criteria must the search meet? (Select all that apply.)

Accepted Answer

A, B, D

Explanation: Report acceleration works by creating a summary of the data generated by a search up to its first transforming command. For this process to be successful, several criteria must be met. The search must contain a transforming command (e.g., stats, chart, timechart) to define the statistical summary that will be accelerated. All commands preceding this transforming command must be streamable, meaning they can operate on events one by one. Non-streaming commands would require the entire dataset, defeating the purpose of the summary. Finally, event sampling is incompatible with report acceleration because sampling uses a subset of data, while acceleration builds a complete summary of all relevant data.

Question 3

After updating a dashboard in myApp, a Splunk admin moves myApp to a different Splunk instance.
After logging in to the new instance, the dashboard is not seen. What could have happened? (Select
all that apply.)

Accepted Answer

A, B, C

Explanation: There are three primary reasons why the dashboard might not be visible on the new instance. First, if the dashboard's permissions were set to "Private," it would be saved in the user's specific directory (etc/users/ /myApp/local), not the app's main directory (etc/apps/myApp/). Consequently, it would not be included when the app is packaged and moved. Second, deleting the myApp/local directory before packaging would discard all UI-driven changes and customizations, including the updated dashboard. Finally, even if the dashboard is moved correctly, the user's role on the new instance might lack the necessary permissions to view objects within myApp, making the dashboard invisible to that user.

Question 4

How can indexer acknowledgement be enabled for HTTP Event Collector (HEC)? (Select all that apply.)

Accepted Answer

B, C

Explanation: Indexer acknowledgement for the HTTP Event Collector (HEC) is a setting configured on a per-token basis to ensure data durability. It is not enabled by default. It can be enabled through two primary methods: 1. Via the Splunk Web user interface, by selecting the "Enable indexer acknowledgement" checkbox during the creation of a new HEC token. 2. Programmatically via the REST API, by setting the useACK parameter to 1 (or true) in the POST request to the services/data/inputs/http endpoint when creating a new token. This allows for automated and scripted configuration of HEC tokens with guaranteed delivery enabled.

Question 5

Which of the following is an example of a Splunk KV store use case? (Select all that apply.)

Accepted Answer

A, B, D

Explanation: The Splunk KV (Key-Value) Store is a lookup and storage component designed for Splunk applications to manage and maintain stateful information. It excels at handling structured data that requires frequent updates or modifications. Use cases include storing checkpoint data for modular inputs to track their progress (A), managing the state of a workflow like an incident review system (B), and saving application-specific data such as user preferences or session information as they interact with an app (D). These tasks leverage the KV Store's ability to act as a persistent database within the Splunk environment.

Question 6

Data can be added to a KV store collection in which of the following format(s)?

Accepted Answer

A

Explanation: The Splunk KV (Key-Value) Store is a lookup feature that stores data as collections of records. Each record within a collection is fundamentally a JSON document. When adding data to a KV Store collection, whether through the REST API or using SPL commands like outputlookup, the data must be structured in JSON format. While source data can originate from formats like CSV, it must first be processed by Splunk's search pipeline into field-value pairs, which are then converted into JSON documents for insertion into the KV Store. The KV Store itself does not natively ingest or parse XML, CSV, or TXT formats.

Question 7

Which of the following are valid request arguments for the REST search endpoints? (Select all that apply.)

Accepted Answer

A, B, C

Explanation: The Splunk REST API search/jobs endpoint accepts standard Splunk time modifiers for the earliesttime and latesttime arguments. - latesttime=rt is the correct syntax to initiate a real-time search. - latesttime=now is a valid keyword representing the current time when the search is executed. - earliesttime=-5h@h is a valid relative time modifier that specifies a time five hours ago, snapped to the beginning of that hour. The syntax in option D is invalid.

Question 8

Which of the following endpoints is used to authenticate with the Splunk REST API?

Accepted Answer

A

Explanation: The /services/auth/login endpoint is the designated REST API endpoint for authenticating with a Splunk instance. A client application sends a POST request containing user credentials (username and password) to this endpoint. Upon successful validation, the Splunk server responds with a session key (or token). This session key must then be included in the Authorization header of all subsequent API requests to access protected resources, thereby maintaining an authenticated session. This is the standard and primary method for programmatic login via the REST API.

Question 9

Which HTTP Event Collector (HEC) endpoint should be used to collect data in the following format? {“message”:“Hello World”, “foo”:“bar”, “pony”:“buttercup”}

Accepted Answer

C

Explanation: The services/collector path is the base endpoint for the Splunk HTTP Event Collector (HEC) used for data ingestion. The provided data is a structured JSON object, which is specifically handled by the /services/collector/event endpoint. Since /services/collector/event is not an available option, the base path services/collector is the most appropriate choice. This correctly identifies the data collection service, distinguishing it from REST API endpoints used for configuration or endpoints for different data types.

Question 10

A fellow Splunk administrator is reviewing an app that has been downloaded from splunkbase and
deployed in an organization. The admin has e-mailed the following configuration snippet with a brief
note that says “fix the permissions”.
In what configuration file should the snippet be placed?
[]
access = read : [ * ], write : [ admin ] export - system
(Assume
that
$APP_HOME
refers
to
the
path
that
the
app
is
installed,
e.g.
$SPLUNK_HOME/etc/apps/)

Accepted Answer

C

Explanation: The provided configuration snippet, access = read : [ ], write : [ admin ] export - system, is used to define permissions and sharing for Splunk knowledge objects. This type of configuration belongs in a metadata file (.meta). For an administrator to apply a persistent, local change to an app's knowledge objects, the configuration should be placed in the local.meta file within that app's metadata directory. This ensures the changes are not overwritten during app upgrades. The path $APPHOME/metadata/local.meta is the standard, correct location for this purpose.

Question 11

Which of the following log files contains logs that are most relevant to Splunk Web?

Accepted Answer

D

Explanation: The webservice.log file is the most relevant log for Splunk Web as it specifically contains messages, errors, and access events generated by the Splunk Web service. This includes information about page rendering, web server status, and user interface-related activities. When troubleshooting issues with the Splunk Web interface, such as pages not loading or errors appearing, this log is the primary source for diagnostic information. The other logs serve different, although related, purposes for the overall Splunk platform.

Question 12

Which files within an app contain permissions information? (Select all that apply.)

Accepted Answer

B, D

Explanation: In Splunk, permissions for knowledge objects (such as reports, dashboards, and lookups) within an application are defined in metadata files. The metadata/default.meta file contains the baseline, default permissions that are shipped with the app. When a user modifies these permissions through the Splunk Web UI, the changes are saved to the metadata/local.meta file. The settings in local.meta take precedence over those in default.meta, allowing for customized access control without altering the app's original files.

Question 13

Which of the following is a way to monitor app performance? (Select all that apply.)

Accepted Answer

A, B, C

Explanation: App performance in Splunk can be monitored through several built-in tools. The Monitoring Console (MC) offers pre-built dashboards to view the performance of searches, schedulers, and resource utilization, which can often be filtered by app. The search job inspector provides granular, real-time and historical performance details for individual search jobs, which are the core components of most apps. Finally, Splunk's internal logs, stored in the internal index, serve as the raw data source for the MC and can be searched directly to diagnose performance issues related to any Splunk component or app context.

Question 14

Which of the following formats are valid for a Splunk REST URI?

Accepted Answer

D

Explanation: A valid Splunk REST API Uniform Resource Identifier (URI) follows a standard structure for accessing endpoints on a Splunk instance. This structure must include the protocol scheme (http or httpss), the hostname or IP address of the Splunk server, the management port number (default is 8089), the /services/ path prefix, and the specific endpoint path. The format scheme://host:port/services/endpoint correctly represents all these required components for a basic REST API call.

Question 15

Which of these URLs could be used to construct a REST request to search the employee KV store collection to find records with a rating greater than or equal to 2 and less than 5?

Accepted Answer

D

Explanation: The correct URL must use the KV Store REST API endpoint and provide a valid, URL-encoded, MongoDB-style query. The query needs to combine two conditions using a logical $and operator: rating is greater than or equal to 2 ($gte: 2) and rating is less than 5 ($lt: 5). Option D correctly constructs this query as a JSON object {"$and":[{"rating":{"$gte":2}},{"rating":{"$lt":5}}]} and properly URL-encodes it for use as a query parameter. The base endpoint and outputmode parameter are also correct.

Free Splunk SPLK-2001 Actual Exam Questions