Pass the Splunk Enterprise Certified Architect SPLK-2001 Questions and answers with ExamsMirror

 The correct answer is A because using Splunk Web to modify config settings for a shared object, a revised config file with those changes is placed in the $SPLUNK_HOME/etc/apps/myApp/local directory. The local directory is where Splunk stores the configuration files that are modified by the user, either through Splunk Web or by editing the files directly. The local directory has the highest priority in the configuration layering scheme, which means it overrides the settings in the default directory. The other options are incorrect because they either use the wrong directory or the wrong priority. You can find more information about the configuration files and the configuration layering scheme in the Splunk Developer Guide.

 The correct answer is A and B because these are the ways to get a list of search jobs. Option A is correct because you can access the Activity > Jobs page in Splunk Web to see the list of search jobs that you have run or that are shared with you. Option B is correct because you can use Splunk REST to query the /services/search/jobs endpoint to get a list of search jobs. Option C is incorrect because the /services/saved/searches endpoint returns a list of saved searches, not search jobs. Option D is incorrect because the /services/search/sid/results endpoint returns the results of a specific search job, not a list of search jobs. You can find more information about search jobs and their endpoints in the Splunk REST API Reference Manual.

 The correct answer is B, C, and D because these are the ways to enable indexer acknowledgement for HTTP Event Collector (HEC). Indexer acknowledgement is a feature that ensures that the data sent to HEC is successfully indexed by Splunk before deleting it from the sender. Option B is correct because you can use a REST request to create a token with the indexer_ack property set to 1. Option C is correct because you can select the checkbox labeled “Enable indexer acknowledgment” when creating a new HEC token in Splunk Web. Option D is correct because you can select the checkbox labeled “Enable indexer acknowledgment” when updating the Global Settings for HEC in Splunk Web. Option A is incorrect because indexer acknowledgment is not turned on by default. You can find more information about indexer acknowledgment for HEC in the Splunk Developer Guide.

 The correct answer is B because when calling the serviceNS endpoint, you must specify the user and app context in the URI. The serviceNS endpoint is a REST endpoint that allows you to access the Splunk service for a specific namespace. The namespace is a combination of the user and the app context, which determine the scope and visibility of the knowledge objects in Splunk. The serviceNS endpoint requires you to specify the user and app context in the URI, such as /servicesNS/{user}/{app}. Option A is incorrect because you do not need to authenticate with an admin user, but rather with the user of the required context. Option C is incorrect because you do not need to authenticate with the user of the required context, but rather with any valid user. Option D is incorrect because you do not need to pass the user and app context in the request payload, but rather in the URI. You can find more information about the serviceNS endpoint and the namespace in the Splunk REST API Reference Manual.

The correct answer is A and D, because configuring a WMI input and using a Windows universal forwarder are the ways to collect event logs from a remote Windows machine using a standard Splunk installation and no customization. WMI input is a type of input that collects Windows Management Instrumentation (WMI) data from remote Windows machines. Windows universal forwarder is a lightweight version of Splunk that can forward data from Windows machines to Splunk indexers.

 The reserved field names in a KV Store are _key and _user. The _key field is a unique identifier for each record in a KV Store collection, and the _user field is the owner of the record. The other fields are not reserved, and can be used as custom fields in a KV Store collection. For more information, see KV Store field names.

 The correct answer is A, B, and C, because they are all ways to monitor app performance. App performance refers to how well an app performs its intended functions, such as data ingestion, search, visualization, and alerting. Monitoring app performance helps to identify and troubleshoot issues, optimize performance, and improve user experience. Using Splunk logs, using the search job inspector, and using the Monitoring Console are all methods to monitor app performance by collecting and analyzing various metrics and data related to the app. Using the storage/collections/config REST endpoint is not a way to monitor app performance, but a way to configure the KV Store collections for an app.

The correct answer is D, because defining an alternative search or target view to use is a customization option for the Open in Search panel link button. The Open in Search panel link button is a feature that allows the user to open the search results of a panel in a new search page. The alternative search or target view option allows the user to specify a different search string or a different view name to use when opening the search page4. The other options are not customization options for the Open in Search panel link button, but for the panel itself. Displaying the refresh time, showing the Export Results button, and showing link buttons at the bottom of a panel are all attributes that can be configured for a panel.

When the same search is required from a REST API call, all the fields will be given, including _raw, name, sourcetype, and instantaneous_kbps. This is because the default output mode for the REST API is XML, which returns all the fields and values for each event. To limit the fields returned, you can use the output_mode parameter with a value of json_cols, json_rows, or csv. For more information, see Access Splunk data using feeds.

The correct answer is A, because tokenn​ame∣s ensures that quotation marks surround the value referenced by the token. The |s modifier is used to escape special characters in the token value, such as quotation marks, commas, and colons. This is useful when the token value is used in a search string or a drilldown action1. The other options are incorrect because they either do not escape the special characters or add extra quotation marks.