Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Splunk Certified Developer Practice Questions

Pass your Splunk Certified Developer (SPLK-2001) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which exec_mode is appropriate when the client wants the events streamed back without storing a job on the search head?

A
B
C
D
to track
Same family resources

Explore More Splunk Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Splunk Certified Administrator

Practice Questions

Splunk Certified Data Analyst

Practice Questions

Splunk Core Certified Power User

Practice Questions

Splunk Core Certified User

Practice Questions

Splunk Certified Cybersecurity Defense Analyst (SPLK-5001)

Practice Questions

Splunk Certified Cybersecurity Defense Architect (SPLK-5003)

Practice Questions
2026 Statistics

Key Facts: Splunk Certified Developer Exam

70

Questions

Splunk SPLK-2001 blueprint

57 min

Exam Time

Pearson VUE listing

~700/1000

Pass Mark

Community guidance

$130

Exam Fee

Splunk / Pearson VUE

7 days

Retake Wait

Splunk certification policy

3 years

Cert Valid

Splunk certification policy

SPLK-2001 contains roughly 70 multiple-choice questions in a 57-minute window with a Pass/Fail result reported by Splunk and community pass guidance near 700/1000. The exam targets app developers who build Splunk dashboards, REST API integrations, custom search commands, modular alerts, and KV Store-backed apps. Splunk Core Certified Power User (SPLK-1002) is the standard prerequisite track entry and the certification is valid for 3 years.

Sample Splunk Certified Developer Practice Questions

Try these sample questions to test your Splunk Certified Developer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In a simple XML form, which element wraps the input controls a user can change to filter searches?
A.<panel>
B.<fieldset>
C.<row>
D.<dashboard>
Explanation: Simple XML forms wrap their inputs in a <fieldset> element. Inputs such as <input type="text"> or <input type="dropdown"> are placed inside <fieldset> so the form renders them as a control bar above the panels. <panel> contains visualizations, <row> arranges panels horizontally, and <dashboard> is the root.
2A developer wants the value selected from a dropdown input named time_range to be available to a search in another panel. Which token reference reads that value?
A.$time_range$
B.$$time_range$$
C.%time_range%
D.${time_range}
Explanation: Splunk simple XML resolves form input values through tokens written as $tokenName$. So an input with token="time_range" is referenced inside a <query> as $time_range$. The other syntaxes are not valid Splunk token references.
3Which simple XML input type is best for letting a user pick a single option from a finite list populated by a search?
A.<input type="text">
B.<input type="dropdown"> with a populating <search>
C.<input type="checkbox">
D.<input type="link">
Explanation: A dropdown input with a populating <search> dynamically lists choices returned by SPL. Text inputs are free-form, checkboxes only return on/off, and link inputs are static buttons. The dropdown also supports a default value via <default> for predictable form behavior.
4A form input must default to "All hosts" but submit an empty filter when chosen. Which combination of <default>, <choice>, and <change> elements achieves this?
A.Use <default>*</default> with <choice value="*">All hosts</choice> so the populating search receives a wildcard
B.Use <default>all</default> with <choice value="">All hosts</choice> and a <change> handler that sets the token to *
C.Use <default>All hosts</default> only; Splunk auto-converts the literal label to a wildcard
D.Use <change><eval token="host">if(value="*","all",value)</eval></change>
Explanation: The standard approach is to bind the choice value "*" to the displayed label "All hosts" and set <default>*</default>. The token resolves to * which matches every host in SPL, giving the same result as no filter. Inserting empty values requires extra <change> logic and is more brittle.
5A form contains a time picker, a host dropdown, and a panel that should run only after the user submits the form. Which configuration is required?
A.Set <fieldset submitButton="true"> and reference the inputs inside the panel's <search>
B.Set autoRun="false" on the <dashboard> root and add <set> elements in <init>
C.Wrap the panel's <search> in <delay>true</delay>
D.Set refresh="manual" on each input
Explanation: Adding submitButton="true" to the <fieldset> shows a Submit button and prevents panel searches from running until tokens are committed. Inputs without a submit button update tokens immediately. The dashboard-level autoRun and refresh attributes apply to refresh timing, not input commit behavior.
6Which technique most reliably reduces the time a dashboard takes to render its panels?
A.Use a base search with post-process searches in each panel
B.Set the panel <chart> height to 100 pixels
C.Use earliest=-30d for every panel
D.Disable the dashboard sidebar
Explanation: A base search runs once and returns results to multiple panels via post-process searches, eliminating duplicate runs against the indexers. Reducing panel height does not change search cost, very wide time ranges hurt performance, and disabling the sidebar is purely cosmetic.
7Which limit applies to a base search that feeds post-process searches in a simple XML dashboard?
A.The base search returns at most 500 events to the post-process layer
B.The base search must use stats, timechart, or chart and is limited to about 500,000 events that pass through to the post-process
C.Only one post-process search can attach to a base search
D.The base search must include a tstats command
Explanation: Post-process searches in simple XML rely on a transforming base search (such as stats, chart, or timechart) and Splunk caps the number of result rows passed to post-process at roughly 500,000 (configurable via post_process_max_results in limits.conf). Multiple post-process searches can attach to a single base search.
8When should a developer accelerate a data model used by a dashboard?
A.When several panels need fast, repeated stats over the same data set across long time ranges
B.When the dashboard has only ad-hoc text inputs
C.When the underlying data is below 1 GB total
D.When panels rely on rex and eval at search time
Explanation: Data model acceleration builds tsidx summaries that make pivot-style stats searches very fast over long time ranges. It pays off when many panels reuse the same constrained dataset. Tiny datasets, ad-hoc free text, and rex-heavy raw event searches gain little from acceleration.
9Which command should be preferred when a panel only needs aggregate counts from an accelerated data model?
A.stats over the raw search
B.tstats against the accelerated summary
C.transaction with maxspan
D.join with subsearch
Explanation: tstats reads directly from accelerated tsidx summaries and is dramatically faster than stats on raw events for aggregate counts. transaction and join are expensive and should be avoided when an aggregate query suffices.
10Why does <search ref="..." /> referencing a saved search often perform better than inlining the SPL into a panel?
A.Saved searches use a faster search pipeline than ad-hoc searches
B.Saved searches can be scheduled and have their results cached so the panel reads cached results instead of re-running
C.Saved searches automatically use tstats
D.Saved searches are always accelerated
Explanation: Referencing a saved (report) search lets the dashboard read the most recent cached results instead of running the SPL on every load, especially when the report is scheduled. Saved searches are not automatically accelerated nor do they use a different pipeline; the gain is from result caching.

About the Splunk Certified Developer Exam

The Splunk Certified Developer (SPLK-2001) exam validates the skills needed to design and build Splunk apps using simple XML, the Splunk Web Framework, the Splunk REST API, and the Splunk SDK. It covers forms and drilldowns, dashboard performance and customization, app layout and packaging on Splunkbase, KV Store integration, modular inputs and alerts, custom search commands, and writing data to Splunk via HEC and the receivers REST endpoint.

Assessment

70 multiple-choice questions

Time Limit

57 minutes

Passing Score

Pass/Fail (community guidance places the cut score near 700/1000)

Exam Fee

$130 USD (Splunk / Pearson VUE)

Splunk Certified Developer Exam Content Outline

5%

Use Forms

Simple XML <fieldset> with dropdown, time, text inputs; tokens like $time_range$; default values, choice mapping, and submit-button form behavior.

5%

Improve Performance

Base searches with post-process, accelerated data models read via tstats, and saved-search references plus result caching to cut dashboard render time.

5%

Customize Dashboards

Add custom CSS and JavaScript via the dashboard stylesheet and script attributes, override chart colors, and convert simple XML to Splunk Web Framework HTML.

5%

Use Event Handlers

Use <init>, <change>, <set>, <unset>, and <eval> to react to input changes; gate panels with depends and rejects; and seed initial tokens.

5%

Add Drilldowns

Configure chart and table drilldowns with $click.value$ and $row.<field>$ tokens, link to the Search app, set tokens for cross-panel updates, and disable drilldowns where needed.

5%

Add Advanced Visualizations and Behaviors

Sparklines via stats, range maps on single-value, trellis layout, and custom visualization apps that ship visualization.js and visualization.css under appserver/static/visualizations.

10%

Planning App Development

Standard app layout (default, local, metadata, bin, appserver), app.conf [package]/[launcher]/[ui] stanzas, default.meta vs local.meta permissions, naming on Splunkbase, and app dependencies.

5%

Creating Apps

Use splunk create app, register dashboards under default/data/ui/views/, declare nav in default/data/ui/nav/default.xml, and ship saved searches and workflow actions.

5%

Adding Data

Build modular inputs declared in inputs.conf with bin/ scripts, route stderr to splunkd.log, and ingest via HEC /services/collector/event with optional indexer acknowledgement.

5%

Creating a KV Store

Define collections in collections.conf, expose them as lookups via transforms.conf external_type=kvstore, enforce typed fields, and write data with outputlookup.

5%

Packaging Apps

Run splunk package app, pass AppInspect, ship platform-specific binaries under bin/<platform>/, ship README/LICENSE/manifest, and earn Cloud Compatible certification on Splunkbase.

5%

Introduction to the Splunk REST API

Auth via /services/auth/login session keys or Bearer tokens, the management port 8089, common HTTP status codes (200/401/404/409), and Splunk-specific URI conventions.

10%

Namespaces and Object Management

/servicesNS/<owner>/<app>/<endpoint> URLs, sharing user/app/global, the - wildcard, the /acl sub-resource, perms.read/perms.write, and capabilities like admin_all_objects and schedule_search.

5%

Parsing REST Output

Atom <feed>/<entry> with Splunk's <s:dict>/<s:key>, switching to output_mode=json, CSV from /services/search/jobs/<sid>/results, and entry-array shape in JSON responses.

10%

Searching

Dispatch search jobs via /services/search/jobs with exec_mode normal, blocking, or oneshot; use /export for streaming; control with pause/finalize/cancel; and drive jobs through the Splunk SDK with splunklib.client.Service.

10%

Writing Data to Splunk

Author custom search commands (commands.conf, chunked v2 protocol, splunklib.searchcommands base classes), build modular alert actions (alert_actions.conf, payload_format=json), and write events with collect, /services/receivers/simple, or HEC.

How to Pass the Splunk Certified Developer Exam

What You Need to Know

  • Passing score: Pass/Fail (community guidance places the cut score near 700/1000)
  • Assessment: 70 multiple-choice questions
  • Time limit: 57 minutes
  • Exam fee: $130 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Splunk Certified Developer Study Tips from Top Performers

1Build at least one Splunk app from scratch and submit it to AppInspect locally so the packaging questions feel routine.
2Memorize the Splunk REST URL grammar: /servicesNS/<owner>/<app>/<endpoint>, the - wildcard, output_mode=json, and the /acl sub-resource.
3Practice exec_mode=normal, blocking, and oneshot in the Splunk SDK Service.jobs API and learn when to poll vs read inline.
4Define a KV Store collection (collections.conf), expose it as a lookup (transforms.conf external_type=kvstore), and write to it with outputlookup append=true.
5Author one streaming custom search command using splunklib.searchcommands.StreamingCommand and register it in commands.conf with chunked = true.
6Walk every option for <drilldown>, <change>, <init>, depends, rejects, $click.value$, and $row.<field>$ tokens until they are second nature.

Frequently Asked Questions

How many questions are on the Splunk Certified Developer exam?

Splunk's published blueprint and Pearson VUE listings show approximately 70 multiple-choice questions delivered in a 57-minute window.

What is the passing score for SPLK-2001?

Splunk reports a pass or fail outcome on the score report and does not publish an exact cut score, but community and Pearson VUE guidance place the practical pass mark near 700 out of 1000 on the scaled score.

Do I need a prerequisite to take SPLK-2001?

Yes. Splunk's certification track requires the Splunk Core Certified Power User exam (SPLK-1002) as the path entry before attempting SPLK-2001 Splunk Certified Developer. Hands-on app development experience is also strongly recommended.

What is the retake policy for SPLK-2001?

Splunk requires a 7-day wait between attempts on the same exam version, and each retake requires a new voucher purchase or scheduling fee.

How long is the SPLK-2001 certification valid?

Splunk certifications under the current policy are valid for 3 years from the date the exam is passed, after which a recertification path applies. Confirm current renewal rules in the Splunk certification handbook before planning.

Which Splunk products and APIs does SPLK-2001 emphasize most?

The blueprint heavily weights the Splunk REST API namespace and object management (10%), Searching (10%), Writing Data to Splunk (10%), and Planning App Development (10%). Forms, drilldowns, dashboards, and KV Store each carry roughly 5% weight.