Exam SPLK-3002: Splunk IT Service Intelligence Certified Admin

After a notable event has been closed, how long will the meta data for that event remain in the KV Store by default?

A. 6 months.

B. 9 months.

C. 1 year.

D. 3 months.

A. 6 months.

Which of the following is a best practice for identifying the most effective services with which to start an iterative ITSI deployment?

A. Only include KPIs if they will be used in multiple services.

B. Analyse the business to determine the most critical services.

C. Focus on low-level services.

D. Define a large number of key services early.

B. Analyse the business to determine the most critical services.

When creating a custom deep dive, what colour are services/KPIs in maintenance mode within the topology view?

A. Gray

B. Purple

C. Gear Icon

D. Blue

A. Gray

Which deep dive swim lane type does not require writing SPL?

A. Event lane.

B. Automatic lane.

C. Metric lane.

D. KPI lane.

D. KPI lane.

Which of the following items apply to anomaly detection? (Choose all that apply.)

A. Use AD on KPIs that have an unestablished baseline of data points. This allows the ML pattern to perform it's magic.

B. A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis.

C. Anomaly detection automatically generates notable events when KPI data diverges from the pattern.

D. There are 3 types of anomaly detection supported in ITSI: adhoc, trending, and cohesive.

B. A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis.

C. Anomaly detection automatically generates notable events when KPI data diverges from the pattern.

Which of the following is a best practice when configuring maintenance windows?

A. Disable any glass tables that reference a KPI that is part of an open maintenance window.

B. Develop a strategy for configuring a service's notable event generation when the service's maintenance window is open.

C. Give the maintenance window a buffer, for example, 15 minutes before and after actual maintenance work.

D. Change the color of services and entities that are part of an open maintenance window in the service analyzer.

C. Give the maintenance window a buffer, for example, 15 minutes before and after actual maintenance work.

In Episode Review, what is the result of clicking an episode's Acknowledge button?

A. Assign the current user as owner.

B. Change status from New to Acknowledged.

C. Change status from New to In Progress and assign the current user as owner.

D. Change status from New to Acknowledged and assign the current user as owner.

C. Change status from New to In Progress and assign the current user as owner.

Which glass table feature can be used to toggle displaying KPI values from more than one service on a single widget?

A. Service templates.

B. Service dependencies.

C. Ad-hoc search.

D. Service swapping.

D. Service swapping.

Which of the following is a characteristic of base searches?

A. Search expression, entity splitting rules, and thresholds are configured at the base search level.

B. It is possible to filter to entities assigned to the service for calculating the metrics for the service's KPIs.

C. The fewer KPIs that share a common base search, the more efficiency a base search provides, and anomaly detection is more efficient.

D. The base search will execute whether or not a KPI needs it.

B. It is possible to filter to entities assigned to the service for calculating the metrics for the service's KPIs.

What are valid ITSI Glass Table editor capabilities? (Choose all that apply.)

A. Creating glass tables.

B. Correlation search creation.

C. Service swapping configuration.

D. Adding KPI metric lanes to glass tables.

A. Creating glass tables.

C. Service swapping configuration.

D. Adding KPI metric lanes to glass tables.

Which of the following is the best use case for configuring a Multi-KPI Alert?

A. Comparing content between two notable events.

B. Using machine learning to evaluate when data falls outside of an expected pattern.

C. Comparing anomaly detection between two KPIs.

D. Raising an alert when one or more KPIs indicate an outage is occurring.

D. Raising an alert when one or more KPIs indicate an outage is occurring.

In distributed search, which components need to be installed on instances other than the search head?

A. SA-IndexCreation and SA-ITSI-Licensechecker on indexers.

B. SA-IndexCreation and SA-ITOA on indexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.

C. SA-IndexCreation on idexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.

D. SA-ITSI-Licensechecker on indexers.

C. SA-IndexCreation on idexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.

When deploying ITSI on a distributed Splunk installation, which component must be installed on the search

head(s)?

A. SA-ITOA

B. ITSI app

C. All ITSI components

D. SA-ITSI-Licensechecker

C. All ITSI components

Which of the following describes entities? (Choose all that apply.)

A. Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.

B. An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.

C. Multiple entities can share the same alias value, but must have different role values.

D. To automatically restrict the KPI to only the entities in a particular service, select "Filter to Entities" in Service.

D. To automatically restrict the KPI to only the entities in a particular service, select "Filter to Entities" in Service.

Which of the following describes a realistic troubleshooting workflow in ITSI?

A. Correlation Search > Deep Dive > Notable Event

B. Service Analyzer > Notable Event Review > Deep Dive

C. Service Analyzer > Aggregation Policy > Deep Dive

D. Correlation search > KPI > Aggregation Policy

B. Service Analyzer > Notable Event Review > Deep Dive

Which of the following accurately describes base searches used for KPIs in a service?

A. Base searches can be used for multiple services.

B. A base search can only be used by its service and all dependent services.

C. All the metrics in a base search are used by one service.

D. All the KPIs in a service use the same base search.

A. Base searches can be used for multiple services.

Which scenario would benefit most by implementing ITSI?

A. Monitoring of business services functionality.

B. Monitoring of system hardware.

C. Monitoring of system process statuses.

D. Monitoring of retail sales metrics.

A. Monitoring of business services functionality.

ITSI Saved Search Scheduling is configured to use realtime_schedule = 0. Which statement is accurate about this configuration?

A. If this value is set to 0, the scheduler bases its determination of the next scheduled search execution time on the current time.

B. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time.

C. If this value is set to 0, the scheduler may skip scheduled execution periods.

D. If this value is set to 0, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

B. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time.

What effects does the KPI importance weight of 11 have on the overall health score of a service?

A. At least 10% of the KPIs will go critical.

B. Importance weight is unused for health scoring.

C. The service will go critical.

D. It is a minimum health indicator KPI.

D. It is a minimum health indicator KPI.

Which of the following is an advantage of using adaptive time thresholds?

A. Automatically update thresholds daily to manage dynamic changes to KPI values.

B. Automatically adjust KPI calculation to manage dynamic event data.

C. Automatically adjust aggregation policy grouping to manage escalating severity.

D. Automatically adjust correlation search thresholds to adjust sensitivity over time.

A. Automatically update thresholds daily to manage dynamic changes to KPI values.

Which of the following applies when configuring time policies for KPI thresholds?

A. A person can only configure 24 policies, one for each hour of the day.

B. They are great if you expect normal behavior at 1:00 to be different than normal behavior at 5:00

C. If a person expects a KPI to change significantly through a cycle on a daily basis, don?t use it.

D. It is possible for multiple time policies to overlap.

B. They are great if you expect normal behavior at 1:00 to be different than normal behavior at 5:00

What is the main purpose of the service analyzer?

A. Display a list of All Services and Entities.

B. Trigger external alerts based on threshold violations.

C. Allow Analysts to add comments to Alerts.

D. Monitor overall Service and KPI status.

D. Monitor overall Service and KPI status.

hat is the default importance value for dependent services? health scores?

A. 11

B. 1

C. Unassigned

D. 10

A. 11

What should be considered when onboarding data into a Splunk index, assuming that ITSI will need to use this data?

A. Use | stats functions in custom fields to prepare the data for KPI calculations.

B. Check if the data could leverage pre-built KPIs from modules, then use the correct TA to onboard the data.

C. Make sure that all fields conform to CIM, then use the corresponding module to import related services.

D. Plan to build as many data models as possible for ITSI to leverage

B. Check if the data could leverage pre-built KPIs from modules, then use the correct TA to onboard the data.

When changing a service template, which of the following will be added to linked services by default?

A. Thresholds.

B. Entity Rules.

C. New KPIs.

D. Health score.

C. New KPIs.

Which of the following items describe ITSI Deep Dive capabilities? (Choose all that apply.)

A. Comparing a service's notable events over a time period.

B. Visualizing one or more Service KPIs values by time.

C. Examining and comparing alert levels for KPIs in a service over time.

D. Comparing swim lane values for a slice of time.

B. Visualizing one or more Service KPIs values by time.

C. Examining and comparing alert levels for KPIs in a service over time.

D. Comparing swim lane values for a slice of time.

What is an episode?

A. A workflow task.

B. A deep dive.

C. A notable event group.

D. A notable event.

C. A notable event group.

Which index will contain useful error messages when troubleshooting ITSI issues?

A. _introspection

B. _internal

C. itsi_summary

D. itsi_notable_audit

B. _internal

Which of the following is a recommended best practice for service and glass table design?

A. Plan and implement services first, then build detailed glass tables.

B. Always use the standard icons for glass table widgets to improve portability.

C. Start with base searches, then services, and then glass tables.

D. Design glass tables first to discover which KPIs are important.

D. Design glass tables first to discover which KPIs are important.

Which of the following are deployment recommendations for ITSI? (Choose all that apply.)

A. Deployments often require an increase of hardware resources above base Splunk requirements.

B. Deployments require a dedicated ITSI search head.

C. Deployments may increase the number of required indexers based on the number of KPI searches.

D. Deployments should use fastest possible disk arrays for indexers.

A. Deployments often require an increase of hardware resources above base Splunk requirements.

B. Deployments require a dedicated ITSI search head.

C. Deployments may increase the number of required indexers based on the number of KPI searches.

D. Deployments should use fastest possible disk arrays for indexers.

What are valid considerations when designing an ITSI Service? (Choose all that apply.)

A. Service access control requirements for ITSI Team Access should be considered, and appropriate teams provisioned prior to creating the ITSI Service.

B. Entities, entity meta-data, and entity rules should be planned carefully to support the service design and configuration.

C. Services, entities, and saved searches are stored in the ITSI app, while events created by KPI execution are stored in the itsi_summary index.

D. Backfill of a KPI should always be selected so historical data points can be used immediately and alerts based on that data can occur.

A. Service access control requirements for ITSI Team Access should be considered, and appropriate teams provisioned prior to creating the ITSI Service.

C. Services, entities, and saved searches are stored in the ITSI app, while events created by KPI execution are stored in the itsi_summary index.

Anomaly detection can be enabled on which one of the following?

A. KPI

B. Multi-KPI alert

C. Entity

D. Service

A. KPI

Which index is used to store KPI values?

A. itsi_summary_metrics

B. itsi_metrics

C. itsi_service_health

D. itsi_summary

A. itsi_summary_metrics

Where are KPI search results stored?

A. The default index.

B. KV Store.

C. Output to a CSV lookup.

D. The itsi_summary index.

D. The itsi_summary index.

hich ITSI functions generate notable events? (Choose all that apply.)

A. KPI threshold breaches.

B. KPI anomaly detection.

C. Multi-KPI alert.

D. Correlation search.

B. KPI anomaly detection.

C. Multi-KPI alert.

D. Correlation search.

Which of the following describes a way to delete multiple duplicate entities in ITSI?

A. Via a CSV upload.

B. Via the entity lister page.

C. Via a search using the | deleteentity command.

D. All of the above.

A. Via a CSV upload.

Which capabilities are enabled through teams?

A. Teams allow searches against the itsi_summary index.

B. Teams restrict notable event alert actions.

C. Teams restrict searches against the itsi_notable_audit index.

D. Teams allow restrictions to service content in UI views.

D. Teams allow restrictions to service content in UI views.

Besides creating notable events, what are the default alert actions a correlation search can execute?

(Choose all that apply.)

A. Ping a host.

B. Send email.

C. Include in RSS feed.

D. Run a script.

B. Send email.

C. Include in RSS feed.

D. Run a script.

Within a correlation search, dynamic field values can be specified with what syntax?

A. fieldname

B. <fieldname /fieldname>

C. %fieldname%

D. eval(fieldname)

C. %fieldname%

In maintenance mode, which features of KPIs still function?

A. KPI searches will execute but will be buffered until the maintenance window is over.

B. KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.

C. New KPIs can be created, but existing KPIs are locked.

D. KPI calculations and threshold settings can be modified.

A. KPI searches will execute but will be buffered until the maintenance window is over.

Which index contains ITSI Episodes?

A. itsi_tracked_alerts

B. itsi_grouped_alerts

C. itsi_notable_archive

D. itsi_summary

B. itsi_grouped_alerts

Which of the following best describes a default deep dive?

A. It initially shows the health scores for all services.

B. It initially shows the highest importance KPIs.

C. It initially shows all of the KPIs for a selected service.

D. It initially shows all the entity swim lanes.

C. It initially shows all of the KPIs for a selected service.

Which of the following describes enabling smart mode for an aggregation policy?

A. Configure > Policies > Smart Mode > Enable, select fields, click Save

B. Enable grouping in Notable Event Review, select Smart Mode, select fields, and click Save

C. Edit the aggregation policy, enable smart mode, select fields to analyze, click Save?

D. Edit the notable event view, enable smart mode, select fields, and click Save

A. Configure > Policies > Smart Mode > Enable, select fields, click Save

Which of the following are the default ports that must be configured on Splunk to use ITSI?

A. SplunkWeb (8405), SplunkD (8519), and HTTP Collector (8628)

B. SplunkWeb (8089), SplunkD (8088), and HTTP Collector (8000)

C. SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088)

D. SplunkWeb (8088), SplunkD (8089), and HTTP Collector (8000)

C. SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088)

Which of the following is a good use case regarding defining entities for a service?

A. Automatically associate entities to services using multiple entity aliases.

B. All of the entities have the same identifying field name.

C. Being able to split a CPU usage KPI by host name.

D. KPI total values are aggregated from multiple different category values in the source events.

A. Automatically associate entities to services using multiple entity aliases.

For which ITSI function is it a best practice to use a 15-30 minute time buffer?

A. Correlation searches.

B. Adaptive thresholding.

C. Maintenance windows.

D. Anomaly detection.

C. Maintenance windows.

How do you automatically restrict a KPI to only the entities in its service, and generate KPI values for each entity

A. Select Yes for both Split by Entity and Filter to Entities in Service.

B. Select No for Split by Entity and Yes for Filter to Entities in Service.

C. Select Yes for Split by Entity and No for Filter to Entities in Service.

D. Select No for both Split by Entity and Filter to Entities in Service.

A. Select Yes for both Split by Entity and Filter to Entities in Service.

Which of the following items describe ITSI Backup and Restore functionality? (Choose all that apply.)

A. A pre-configured default ITSI backup job is provided that can be modified, but not deleted.

B. ITSI backup is inclusive of KV Store, ITSI Configurations, and index dependencies.

C. kvstore_to_json.py can be used in scripts or command line to backup ITSI for full or partial backups.

D. ITSI backups are stored as a collection of JSON formatted files.

A. A pre-configured default ITSI backup job is provided that can be modified, but not deleted.

D. ITSI backups are stored as a collection of JSON formatted files.

When installing ITSI to support a Distributed Search Architecture, which of the following items apply?

(Choose all that apply.)

A. Copy SA-IndexCreation to all indexers.

B. Copy SA-IndexCreation to the etc/apps directory on the index cluster master node.

C. Extract installer package into etc/apps directory of the cluster deployer node.

D. Extract ITSI app package into etc/apps directory of search head.

A. Copy SA-IndexCreation to all indexers.

D. Extract ITSI app package into etc/apps directory of search head.

When in maintenance mode, which of the following is accurate?

A. Once the window is over, KPIs and notable events will begin to be generated again.

B. KPIs are shown in blue while in maintenance mode.

C. Maintenance mode slots are scheduled on a per hour basis.

D. Service health scores and KPI events are deleted until the window is over.

A. Once the window is over, KPIs and notable events will begin to be generated again.

Which of the following is a valid type of Multi-KPI Alert?

A. Score over composite.

B. Value over time.

C. Status over time.

D. Rise over run.

C. Status over time.

When must a service define entity rules?

A. If the intention is for the KPIs in the service to filter to only entities assigned to the service.

B. To enable entity cohesion anomaly detection.

C. If some or all of the KPIs in the service will be split by entity.

D. If the intention is for the KPIs in the service to have different aggregate vs. entity KPI values.

A. If the intention is for the KPIs in the service to filter to only entities assigned to the service.