Deck 4: Splunk Enterprise Certified Architect

A) /storage/collections
B) /storage/kvstore/create
C) /storage/collections/config
D) /storage/kvstore/collections

A) The namespace is a type of token filter.
B) The namespace includes an app attribute which cannot be a wildcard.
C) The namespace filters the knowledge objects returned by the REST API.
D) The namespace does not filter knowledge objects returned by the REST API.

A) Nobody
B) Users in the admin role.
C) Users in the admin and power roles.
D) Users in the admin, power, and splunk-system-user roles.

A) Generating
B) Transforming
C) Centralized streaming
D) Distributable streaming

A) Author
B) Title
C) Link
D) Id

A) No need to do anything, it is turned on by default.
B) When a REST request is sent to create a token, the property for indexer acknowledgement must be set to 1.
C) When a new HEC token is created in Splunk Web, select the checkbox labeled "Enable indexer acknowledgement".
D) When the Global Settings for HEC are updated in Splunk Web, select the checkbox labeled "Enable indexer acknowledgement".

A) Search
B) Set token
C) Form input
D) Visualization

A) $SPLUNK_HOME/etc/apps/myApp/local
B) $SPLUNK_HOME/etc/system/default/
C) $SPLUNK_HOME/etc/system/local
D) $SPLUNK_HOME/etc/apps/myApp/default

A) Access Activity > Jobs with Splunk Web. Access Activity > Jobs with Splunk Web.
B) Use Splunk REST to query the /services/search/jobs endpoint. Use Splunk REST to query the /services/search/jobs endpoint.
C) Use Splunk REST to query the /services/saved/searches endpoint. /services/saved/searches
D) Use Splunk REST to query the /services/search/sid/results endpoint. /services/search/sid/results

A) /servicesNS/-/data/saved/searches/mySearch
B) /servicesNS/object/saved/searches/mySearch
C) /servicesNS/search/saved/searches/mySearch
D) /servicesNS/-/search/saved/searches/mySearch

A) export = app
B) export = none
C) export = view
D) export = system

A) Search
B) Reports
C) Datasets
D) Dashboards

A) Cannot use event sampling.
B) Use a transforming command.
C) Use a standard Splunk visualization.
D) Commands before the first transforming command must be streamable.

A) Multiple tokens can be created for use with different sourcetypes and indexes.
B) The edit token http admin role capability is required to create a token. The edit token http admin role capability is required to create a token.
C) To create a token, send a POST request to services/collector endpoint. To create a token, send a POST request to services/collector endpoint.
D) Tokens can be edited using the data/inputs/http/{tokenName} endpoint. Tokens can be edited using the data/inputs/http/{tokenName}

A) earliest=01/01/2019:00:00:00
B) earliest=01/01/2019T00:00:00
C) earliest=2019-01-01 00:00:00
D) earliest=2019-01-01T00:00:00

A) Stores checkpoint data for modular inputs.
B) Tracks workflow in an incident-review system.
C) Indexes metrics data from remote HTTP sources.
D) Stores application state as a user interacts with an app.

A) By using vent drilldown.
B) By using workflow action.
C) By using contextual drilldown.
D) By using visualization drilldown.

A) | tstats count
B) sourcetype=mysourcetype
C) stats sum(count) AS count by log level
D) search log_level=error | stats sum(count) AS count by component

A) A visualization with custom colors.
B) Any visualization available in Splunk.
C) A visualization in Splunk modified by the user.
D) A visualization that uses the Splunk Custom Visualization API.

A) /services/auth/login
B) /services/session/login
C) /services/auth/session/login
D) /servicesNS/authentication/login

A) _audit
B) _internal
C) _thefishbucket
D) _blocksignature

A) Be url-encoded.
B) Specify the datatype.
C) Include the bucket path.
D) Include the name argument. Include the name argument.

A) Enable XSS.
B) Eliminate all escape characters.
C) Ensure the app passes App Certification.
D) Ensure components have no Common Vulnerabilities and Exposures (CVE) vulnerabilities.

A)
B) true
C) false
D) false

A)
B)
C)
D)

A) A dictionary of elements. A dictionary of elements.
B) Metadata encapsulating the element. Metadata encapsulating the element.
C) A response code indicating success or failure.
D) An individual element in an collection. An individual element in an collection.

A) $APP_HOME/default/app.conf
B) $APP_HOME/local/default.meta
C) $APP_HOME/metadata/local.meta
D) $SPLUNK_HOME/etc/system/local/server.conf

A) trellis.Xaxis
B) trellis.Yaxis
C) trellis.name
D) trellis.value

A) Use a generating search.
B) Remove unneeded fields.
C) Truncate the data, using selective functions.
D) Summarize data, using analytic commands.

A) _key
B) _time
C) _user
D) _source

A) $token_name|s$
B) "$token_name$"
C) ($token_name$)
D) \"$token_name$\"

A) By configuring a WMI input.
B) By using HTTP event collector.
C) By using a Windows heavy forwarder.
D) By using a Windows universal forwarder.

A) Visualization event handler
B) Form input event handler
C) Condition event handler
D) Search event handler

A) _raw
B) name
C) sourcetype
D) instantaneous_kbps

A) stats
B) tstats
C) tscollect
D) transaction

A) Clean the KV store, deleting all content.
B) Produce the syntax error "Key value missing" . Produce the syntax error "Key value missing" .
C) Cause all records in a collection to be deleted.
D) Mean that the _key value must be passed as an argument. Mean that the value must be passed as an argument.

A)
B)
C)     
D)

A) A modular input written in Python.
B) A file input monitoring a JSON file.
C) A custom search command written in Python.
D) An HTTP Event Collector as receiver of data from an app.

A) Store passwords in clear text in .conf files. Store passwords in clear text in .conf files.
B) Implement security in software development lifecycle.
C) Manually test application with the controls listed in the OWASP Security Testing Guide.
D) Use a dynamic scanner such as OWASP ZAP to scan web application components for vulnerabilities.

A) $my_token$
B)
C) false
D) disabled

A) JSON
B) JSON, XML
C) JSON, XML, CSV
D) JSON, XML, CSV, TXT