SPLK-2001 Questions and Answers

 The correct answer is A, C, and D because these are the application security best practices that should be adhered to while developing an app for Splunk. Option A is correct because reviewing the OWASP Top Ten List can help you identify and avoid the most common web application security risks. Option C is correct because reviewing the OWASP Secure Coding Practices Quick Reference Guide can help you learn and apply the best practices for secure coding. Option D is correct because ensuring that third-party libraries that the app depends on have no outstanding CVE vulnerabilities can help you prevent potential exploits and attacks. Option B is incorrect because storing passwords in clear text in .conf files is a bad practice that can compromise the security and privacy of your app and your data. You can find more information about the application security best practices in the Splunk Developer Guide.

 The correct answer is A and B, because for a KV Store, a lookup stanza in the transforms.conf file must contain the collection and fields_list attributes. A lookup stanza is a configuration section in the transforms.conf file that defines the properties of a lookup, such as the lookup type, the lookup file or collection, the input and output fields, and the match type. A lookup is a feature that allows Splunk to enrich the events with additional data from an external source, such as a CSV file or a KV Store collection. For a KV Store lookup, the lookup stanza must have the collection attribute, which specifies the name of the KV Store collection to use, and the fields_list attribute, which specifies the fields to return from the KV Store collection2. The external_type and internal_type attributes are not required for a KV Store lookup, but for a scripted lookup, which is a type of lookup that uses an external script to perform the lookup operation.

A Splunk custom visualization is a visualization that uses the Splunk Custom Visualization API. This API lets you create your own visualizations using JavaScript, HTML, and CSS. You can also use third-party libraries or frameworks to create custom visualizations. The other options are not custom visualizations, but rather variations of the built-in visualizations in Splunk. For more information, see [Custom visualizations overview].

The correct answer is B, because the element will unset a token named my_token. The element is used to remove the value of a token based on a user interaction, such as a click or a change. The token attribute specifies the name of the token to be unset. The other options are incorrect because they will not unset a token named my_token. The myt​oken element is invalid, because the token name should not be enclosed in dollar signs. The false and disabled elements will not unset the token, but set its value to false or disabled, respectively.

 The correct answer is D, because ensuring components have no Common Vulnerabilities and Exposures (CVE) vulnerabilities is a security best practice for developing Splunk apps. CVE is a list of publicly disclosed information security vulnerabilities and exposures1. Splunk recommends using tools such as npm audit, retire.js, and snyk to scan your app components for CVE vulnerabilities2.

The correct answer is A because the /servicesNS/-/data/saved/searches/mySearch endpoint path can be used by someone with a power user role to access information about mySearch, a saved search owned by someone with a user role. The /servicesNS/-/data/saved/searches endpoint returns information about saved searches in a specific namespace. The - symbol in the URI means that the user and app context are inherited from the current session. Therefore, a power user can access the saved search information by using the - symbol, assuming the permissions are set appropriately. The other options are incorrect because they either use invalid endpoints or do not specify the user and app context correctly. You can find more information about the /servicesNS endpoint and the namespace in the Splunk REST API Reference Manual.

The token filter that encodes URL values is tokenn​ame∣u. This filter applies the URL encoding to the token value, which replaces special characters with percent-encoded characters. This is useful for passing token values as query parameters in a drilldown. The other token filters are either invalid or used for different purposes. For more information, see [Token filters].

The HTTP Event Collector (HEC) endpoint that should be used to collect data in the given format is services/collector/raw. This endpoint accepts raw data that is not formatted as JSON, such as plain text or XML. The data format is specified by the sourcetype parameter in the request. The other endpoints are either used for different purposes or do not exist. For more information, see Use the raw HEC endpoint.

The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

The type of vulnerability in the Python code snippet is CWE-404: Improper Resource Shutdown or Release. This vulnerability occurs when a resource is not released or closed properly after use, which can lead to resource exhaustion or unexpected behavior. In this case, the open() and readline() commands could fail to close the file handle, which could prevent other processes from accessing the file or cause a memory leak. The other types of vulnerabilities are not relevant to this scenario. For more information, see CWE-404: Improper Resource Shutdown or Release.

 The correct answer is B, C, and D, because they are all valid parent elements for the event action shown below. The event action is a element, which is used to set the value of a token based on a user interaction, such as a click or a change. The element can be nested inside a , a , or a element, depending on the type and context of the event. The element is not a valid parent element for the element, but a sibling element that can be used to evaluate an expression and set the value of a token.

The correct answer is B, because the tstats command can be used to perform statistical queries on indexed fields in TSIDX files. TSIDX files are files that store the index data for Splunk, such as the events, timestamps, and fields. Indexed fields are fields that are extracted and stored in the TSIDX files at index time, which makes them faster to search than non-indexed fields. The tstats command is a search command that performs statistical calculations on indexed fields, such as count, sum, avg, and so on. The tstats command is faster than the stats command, which performs statistical calculations on any fields, because it does not need to retrieve the events from the index, but only the fields from the TSIDX files. The other options are not search commands that can be used to perform statistical queries on indexed fields in TSIDX files. The stats command performs statistical calculations on any fields, not just indexed fields. The tscollect command collects the results of a transforming search and writes them to a TSIDX file. The transaction command groups events into transactions based on common values.

 By using visualization drilldown, you can hide or show a panel by clicking on a chart or a table on the same form. Visualization drilldown lets you define a drilldown action that affects a different panel on the same dashboard. You can use the set or unset tokens to control the visibility of the target panel. For more information, see Visualization drilldown.

 The containers that are included in the Atom Feed response when using the Splunk REST API are , , and . The feed container represents the entire response, the entry container represents each individual result, and the content container represents the fields and values of each result. The namespace container is not included in the Atom Feed response, but rather in the XML namespace declaration. For more information, see Access Splunk data using feeds.

The log file that contains logs that are most relevant to Splunk Web is web_service.log. This log file records information about the web server that runs Splunk Web, such as requests, responses, errors, and performance. The other log files contain logs that are related to other aspects of Splunk, such as audit.log for security events, metrics.log for performance metrics, and splunkd.log for Splunk daemon activity. For more information, see [About Splunk log files].

The correct answer is A, because data can be added to a KV Store collection only in JSON format. KV Store is a feature that allows Splunk to store and manage data in collections of key-value pairs. A KV Store collection is a logical grouping of key-value pairs that can be accessed and manipulated by Splunk apps. Data can be added to a KV Store collection either by using the Splunk Web interface, the Splunk REST API, or the Splunk SDKs. In all cases, the data must be formatted as JSON objects, which are collections of name-value pairs enclosed in curly braces1. The other formats, such as XML, CSV, and TXT, are not supported by KV Store.