Which of the following is a best practice for identifying the most effective services with which to start an iterative ITSI deployment?
Correct Answer:
B
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA
A best practice for identifying the most effective services with which to start an iterative ITSI deployment is to analyze the business to determine the most critical services that have the most impact on revenue, customer satisfaction, or other key performance indicators. You can use the Service Analyzer to prioritize and monitor these services. References: Service Analyzer
After ITSI is initially deployed for the operations department at a large company, another department would like to use ITSI but wants to keep their information private from the operations group. How can this be achieved?
Correct Answer:
D
In Splunk IT Service Intelligence (ITSI), creating teams for each department and assigning services to those teams is an effective way to segregate data and ensure that information remains private between different groups within an organization. Teams in ITSI provide a mechanism for role-based access control, allowing administrators to define which users or groups have access to specific services, KPIs, and dashboards. By setting up teams corresponding to each department and then assigning services to these teams, ITSI canaccommodate multi-departmental use within the same instance while maintaining strict access controls. This ensures that each department can only view and interact with the data and services relevant to their operations, preserving confidentiality and data integrity across the organization.
Which ITSI components are required before a module can be created?
Correct Answer:
C
Before a module can be created in Splunk IT Service Intelligence (ITSI), it is essential to have one or more datamodels established. Datamodels in Splunk provide a structured format for organizing and interpreting data, which is crucial for modules within ITSI. Modules often rely on datamodels to extract, transform, and present data in a meaningful way, especially when dealing with complex datasets across various sources. Datamodels serve as the foundation for the module's ability to categorize and analyze data efficiently, enabling the creation of KPIs, services, and visualizations that are aligned with the specific needs of the module. Having these datamodels in place ensures that the module can function correctly and provide valuable insights into the monitored IT environments.
What should be considered when onboarding data into a Splunk index, assuming that ITSI will need to use this data?
Correct Answer:
B
Reference: https://newoutlook.it/download/book/splunk/advanced-splunk.pdf
When onboarding data into a Splunk index, assuming that ITSI will need to use this data, you should consider the following:
* B. Check if the data could leverage pre-built KPIs from modules, then use the correct TA to onboard the data. This is true because modules are pre-packaged sets of services, KPIs, and dashboards that are designed for specific types of data sources, such as operating systems, databases, web servers, and so on. Modules help you quickly set up and monitor your IT services using best practices and industry standards. To use modules, you need to install and configure the correct technical add-ons (TAs) that extract and normalize the data fields required by the modules.
The other options are not things you should consider because:
* A. Use | stats functions in custom fields to prepare the data for KPI calculations. This is not true because using | stats functions in custom fields can cause performance issues and inaccurate results when calculating KPIs. You should use | stats functions only in base searches or ad hoc searches, not in custom fields.
* C. Make sure that all fields conform to CIM, then use the corresponding module to import related services. This is not true because not all modules require CIM-compliant data sources. Some modules have their own data models and field extractions that are specific to their data sources. You should check the documentation of each module to see what data requirements and dependencies they have.
* D. Plan to build as many data models as possible for ITSI to leverage. This is not true because building too many data models can cause performance issues and resource consumption in your Splunk environment. You should only build data models that are necessary and relevant for your ITSI use cases.
References: Overview of modules in ITSI, [Install technical add-ons for ITSI modules]
Which of the following describes a realistic troubleshooting workflow in ITSI?
Correct Answer:
B
A realistic troubleshooting workflow in ITSI is:
✑ B. Service Analyzer –> Notable Event Review –> Deep Dive
This workflow involves using the Service Analyzer dashboard to monitor the health and performance of your services and KPIs, using the Notable Event Review dashboard to investigate and manage the notable events generated by ITSI, and using the Deep Dive dashboard to analyze the historical trends and anomalies of your KPIs and metrics.
The other workflows are not realistic because they involve components that are not part of the troubleshooting process, such as correlation search, aggregation policy, and KPI.These components are used to create and configure the alerts and episodes that ITSI generates, not to investigate and resolve them. References: [Service Analyzer dashboard in
ITSI], Overview of Episode Review in ITSI, [Overview of deep dives in ITSI]
