Splunk Enterprise Certified Admin — Question 27

Which statements are true regarding HEC (HTTP Event Collector) tokens? (Select all that apply.)

Answer options

• A. Multiple tokens can be created for use with different sourcetypes and indexes.
• B. The edit token http admin role capability is required to create a token.
• C. To create a token, send a POST request to services/collector endpoint.
• D. Tokens can be edited using the data/inputs/http/{tokenName} endpoint.

Correct answer: A, C

Explanation

Option A is correct because multiple tokens can indeed be created for various sourcetypes and indexes. Option C is also correct as the creation of a token involves sending a POST request to the specified endpoint. Options B and D are incorrect; while the edit token http admin role capability is relevant, it is not necessary for creating a token, and the editing process does not utilize the specified endpoint.