Free Splunk SPLK-2001 Practice Exam with Questions & Answers

The types of event handlers are set token and form input. Set token event handlers let you set or unset tokens based on user interactions, such as clicking on a chart or selecting a value from a dropdown. Form input event handlers let you create interactive forms that use tokens to pass values between inputs and searches. The other options are not event handlers, but rather components of a dashboard. For more information, see Event handlers overview.

The correct answer is A, B, and C because these are the benefits of using Simple XML Extensions. Simple XML Extensions allow you to customize the appearance and behavior of your dashboards by adding custom layouts, graphics, and behaviors. You can also use JavaScript and CSS to enhance your dashboards. Option D is incorrect because Simple XML Extensions do not affect the Splunk license consumption based on host. You can find more information about Simple XML Extensions in the Splunk Developer Guide.

The correct answer is B, C, and D, because they are all security best practices for Splunk app development. Storing passwords in clear text in .conf files is not a security best practice, because it exposes the passwords to unauthorized access or leakage. Implementing security in software development lifecycle means applying security principles and practices throughout the app development process, from design to deployment. Manually testing application with the controls listed in the OWASP Security Testing Guide helps to identify and mitigate common security risks and vulnerabilities in web applications. Using a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities helps to automate the security testing and find potential issues that might be missed by manual testing.

The valid request arguments for the REST search endpoints are latest_time=now and earliest_time=-5h@h. These arguments specify the time range for the search, using relative or absolute time modifiers. The other arguments are invalid because they use rt (real-time) modifiers, which are not supported by the REST search endpoints. For more information, see [Specify time modifiers in your search].

A Splunk custom visualization is a visualization that uses the Splunk Custom Visualization API. This API lets you create your own visualizations using JavaScript, HTML, and CSS. You can also use third-party libraries or frameworks to create custom visualizations. The other options are not custom visualizations, but rather variations of the built-in visualizations in Splunk. For more information, see [Custom visualizations overview].

The correct answer is B, because an HTTP header field is an intended use of HTTP Event Collector tokens. An HTTP Event Collector token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token can be specified in the Authorization header field of the HTTP request, using the format Authorization: Splunk  2. The other options are incorrect because they are not valid ways to use an HEC token. A cookie is a small piece of data stored by the web browser, not by Splunk. A JSON field in the HTTP request is used to specify the event data or metadata, not the HEC token. A password in conjunction with login is not related to HEC, but to Splunk Web or REST API authentication.

The correct answer is B, C, and D, because they are all ways to reduce the results size in the results when the search/jobs REST endpoint is called to execute a search. The search/jobs REST endpoint is used to create, manage, and control search jobs in Splunk. The results size in the results refers to the amount of data returned by the search job, which can affect the performance and efficiency of the search. Removing unneeded fields, truncating the data using selective functions, and summarizing the data using analytic commands are all methods to reduce the results size by filtering, limiting, or aggregating the data. Using a generating search is not a way to reduce the results size, but a way to create a search job that does not use the index, but instead generates its own data3.

 The element in a successful Splunk REST call response contains metadata encapsulating the element. The metadata includes information such as the title, author, updated time, and links of the entry. The content element contains the fields and values of the entry, such as the name, description, and configuration. The other options are either incorrect or not part of the element. For more information, see Access Splunk data using feeds.

 The correct answer is A, C, and D because these are the application security best practices that should be adhered to while developing an app for Splunk. Option A is correct because reviewing the OWASP Top Ten List can help you identify and avoid the most common web application security risks. Option C is correct because reviewing the OWASP Secure Coding Practices Quick Reference Guide can help you learn and apply the best practices for secure coding. Option D is correct because ensuring that third-party libraries that the app depends on have no outstanding CVE vulnerabilities can help you prevent potential exploits and attacks. Option B is incorrect because storing passwords in clear text in .conf files is a bad practice that can compromise the security and privacy of your app and your data. You can find more information about the application security best practices in the Splunk Developer Guide.

 The correct answer is C and D, because trellis.name and trellis.value are the predefined drilldown tokens available specifically for trellis layouts. Trellis layouts are a way of displaying multiple charts in a grid, each with a different value of a split-by field. The trellis.name token returns the name of the split-by field, and the trellis.value token returns the value of the split-by field for the selected chart.