SPLK-2001 Splunk Certified Developer Exam Free Practice Exam Questions (2025 Updated)

The correct answer is A, B, and D because these are the examples of a Splunk KV store use case. A Splunk KV store is a service that allows you to store and manage custom data in Splunk, using key-value pairs. A Splunk KV store can be used for various purposes, such as storing checkpoint data, tracking workflow, and storing application state. Option A is correct because a Splunk KV store can store checkpoint data for modular inputs, which are custom data inputs that use external scripts or binaries to collect and send data to Splunk. Checkpoint data is used to keep track of the data collection progress and resume from the last point in case of interruption. Option B is correct because a Splunk KV store can track workflow in an incident-review system, which is a system that allows you to review and manage the incidents that occur in your environment. Workflow data is used to store the status, priority, and assignee of each incident. Option D is correct because a Splunk KV store can store application state as a user interacts with an app, which is a custom interface that allows you to access and analyze the data in Splunk. Application state data is used to store the user preferences, settings, and selections for the app. Option C is incorrect because a Splunk KV store cannot index metrics data from remote HTTP sources, which are sources that send numerical data to Splunk via HTTP or HTTPS. Metrics data is not stored in the Splunk KV store, but rather in the metrics index, which is a special type of index that optimizes the storage and retrieval of metrics data. You can find more information about the Splunk KV store and its use cases in the Splunk Developer Guide.

 The containers that are included in the Atom Feed response when using the Splunk REST API are , , and . The feed container represents the entire response, the entry container represents each individual result, and the content container represents the fields and values of each result. The namespace container is not included in the Atom Feed response, but rather in the XML namespace declaration. For more information, see Access Splunk data using feeds.

The correct answer is C and D, because they are both statements that describe an HEC token. An HEC token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token is a GUID (globally unique identifier), which is a 32-character hexadecimal string that is randomly generated. An HEC token can be created in Splunk Web or using REST endpoints, depending on the preference of the user. An HEC token does not map to a Splunk user, but to a specific index or set of indexes where the data will be stored. An HEC token cannot be used to download data, but only to send data to Splunk.

The correct answer is D, because defining an alternative search or target view to use is a customization option for the Open in Search panel link button. The Open in Search panel link button is a feature that allows the user to open the search results of a panel in a new search page. The alternative search or target view option allows the user to specify a different search string or a different view name to use when opening the search page4. The other options are not customization options for the Open in Search panel link button, but for the panel itself. Displaying the refresh time, showing the Export Results button, and showing link buttons at the bottom of a panel are all attributes that can be configured for a panel.

The valid format for a Splunk REST URI is scheme://host:port/services/endpoint. This format specifies the scheme (http or https), the host (the Splunk server name or IP address), the port (the Splunk management port, usually 8089), the services prefix (which indicates a Splunk REST endpoint), and the endpoint (the specific resource or action to access). The other formats are either incomplete or invalid. For more information, see About the Splunk REST API.

The correct answer is A, because tokenn​ame∣s ensures that quotation marks surround the value referenced by the token. The |s modifier is used to escape special characters in the token value, such as quotation marks, commas, and colons. This is useful when the token value is used in a search string or a drilldown action1. The other options are incorrect because they either do not escape the special characters or add extra quotation marks.

The correct answer is A and B, because _audit and _internal are the indexes that contain log files related to Splunk REST calls. The _audit index stores information about user activities, such as login attempts, searches, and saved reports. The _internal index stores information about Splunk components, such as splunkd, metrics, and REST calls.

The correct answer is A, C, and D because these are the valid values for the sharing property of the Access Control List (ACL) when updating a knowledge object via REST. The sharing property determines the scope of the knowledge object and who can access it. The value of the User is not valid for the sharing property. You can find more information about the ACL and its properties in the Splunk REST API Reference Manual.

When added to an app’s default.meta file, export = system makes one of its views available to other apps. This means that the view is visible and searchable by all users. The other options are invalid because export = app means that the view is visible and searchable only within the app, export = none means that the view is not visible or searchable by any user, and export = view is not a valid value for the export attribute. For more information, see About configuration file structure and inheritance.

The correct answer is B, because an HTTP header field is an intended use of HTTP Event Collector tokens. An HTTP Event Collector token is a unique identifier that is used to authenticate and authorize data sent to Splunk via the HTTP Event Collector (HEC). An HEC token can be specified in the Authorization header field of the HTTP request, using the format Authorization: Splunk  2. The other options are incorrect because they are not valid ways to use an HEC token. A cookie is a small piece of data stored by the web browser, not by Splunk. A JSON field in the HTTP request is used to specify the event data or metadata, not the HEC token. A password in conjunction with login is not related to HEC, but to Splunk Web or REST API authentication.

The correct answer is A, B, and D because these are the statements that are true regarding HEC (HTTP Event Collector) tokens. HEC tokens are unique identifiers that are used to authenticate and authorize the data sent to HEC, which is a service that allows you to send data to Splunk via HTTP or HTTPS. Option A is correct because multiple tokens can be created for use with different sourcetypes and indexes, which are the attributes that define the data type and the location of the data in Splunk. Option B is correct because the edit token http admin role capability is required to create a token, which is a permission that allows the user to manage the HEC tokens. Option D is correct because tokens can be edited using the data/inputs/http/{tokenName} endpoint, which is a REST endpoint that allows you to update the properties of a specific HEC token. Option C is incorrect because to create a token, you need to send a POST request to the data/inputs/http endpoint, not the services/collector endpoint. The services/collector endpoint is used to send data to HEC, not to create tokens. You can find more information about HEC tokens and their endpoints in the Splunk Developer Guide.

The Simple XML elements that configure panel link buttons are and true. The title element specifies the text that appears on the link button, and the option element enables the link button to be visible. The other elements are either irrelevant or used for different options. For more information, see Drilldown to a URL.

The HTTP Event Collector (HEC) endpoint that should be used to collect data in the given format is services/collector/raw. This endpoint accepts raw data that is not formatted as JSON, such as plain text or XML. The data format is specified by the sourcetype parameter in the request. The other endpoints are either used for different purposes or do not exist. For more information, see Use the raw HEC endpoint.

 The correct answer is A because using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in the $SPLUNK_HOME/etc/apps/myApp/local directory. The local directory is where Splunk stores the configuration files that are modified by the user, either through Splunk Web or by editing the files directly. The local directory has the highest priority in the configuration layering scheme, which means it overrides the settings in the default directory. The other options are incorrect because they either use the wrong directory or the wrong priority. You can find more information about the configuration files and the configuration layering scheme in the Splunk Developer Guide.

The correct answer is A, B, and D because these are the criteria that the search must meet in order to successfully accelerate a report. A report is a saved search that runs on a schedule and returns results in a table or a chart. A report can be accelerated to improve its performance and reduce the load on the Splunk indexers. Option A is correct because the search cannot use event sampling, which is a technique that reduces the number of events returned by the search. Event sampling can affect the accuracy and consistency of the report results. Option B is correct because the search must use a transforming command, which is a command that converts the results into a data table with rows and columns. Transforming commands are required for report acceleration, as they enable the creation of summary data. Option D is correct because the commands before the first transforming command must be streamable, which means they can process each event as it is returned by the search. Streamable commands are preferred for report acceleration, as they reduce the memory usage and improve the performance of the search. Option C is incorrect because the search does not need to use a standard Splunk visualization, which is a type of chart or graph that displays the results. The search can use any visualization that is compatible with the report acceleration. You can find more information about report acceleration and the criteria for the search in the Splunk Developer Guide.

The log file that contains logs that are most relevant to Splunk Web is web_service.log. This log file records information about the web server that runs Splunk Web, such as requests, responses, errors, and performance. The other log files contain logs that are related to other aspects of Splunk, such as audit.log for security events, metrics.log for performance metrics, and splunkd.log for Splunk daemon activity. For more information, see [About Splunk log files].

The correct answer is B and C because these are the statements that describe one-shot searches. A one-shot search is a type of search that runs once and returns all the results at once. Option B is correct because a one-shot search can specify csv as an output format, which returns the results as comma-separated values. Option C is correct because a one-shot search streams all the results upon search completion, which means it does not return any partial results while the search is running. Option A is incorrect because a one-shot search can be executed either synchronously or asynchronously, depending on the method used. Option D is incorrect because a one-shot search cannot use auto_cancel to set a timeout limit, as this parameter is only applicable for normal searches. You can find more information about one-shot searches in the Splunk REST API Reference Manual.

The correct answer is A and D, because configuring a WMI input and using a Windows universal forwarder are the ways to collect event logs from a remote Windows machine using a standard Splunk installation and no customization. WMI input is a type of input that collects Windows Management Instrumentation (WMI) data from remote Windows machines. Windows universal forwarder is a lightweight version of Splunk that can forward data from Windows machines to Splunk indexers.

The correct answer is A, because data can be added to a KV Store collection only in JSON format. KV Store is a feature that allows Splunk to store and manage data in collections of key-value pairs. A KV Store collection is a logical grouping of key-value pairs that can be accessed and manipulated by Splunk apps. Data can be added to a KV Store collection either by using the Splunk Web interface, the Splunk REST API, or the Splunk SDKs. In all cases, the data must be formatted as JSON objects, which are collections of name-value pairs enclosed in curly braces1. The other formats, such as XML, CSV, and TXT, are not supported by KV Store.