SPLK-3002 Free Practice Test

When must a service define entity rules?

1. A. If the intention is for the KPIs in the service to filter to only entities assigned to the service.
2. B. To enable entity cohesion anomaly detection.
3. C. If some or all of the KPIs in the service will be split by entity.
4. D. If the intention is for the KPIs in the service to have different aggregate v
5. E. entity KPI values.

Correct Answer: A
Provide a value to filter the service to a specific set of entities. These entity rule values are meant to be custom for each service.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/EntityRules
A is the correct answer because a service must define entity rules if the intention is for the KPIs in the service to filter to only entities assigned to the service. Entity rules are filters that match entities to services based on entity aliases or entity metadata. If you enable the Filter to Entities in Service option for a KPI, you need to define entity rules for the service to ensure that the KPI search results only include the relevant entities for the service. Otherwise, the KPI search results might include entities that are not part of the service or exclude entities that are part of the service. References: [Define entities for a service in ITSI], [Configure KPI settings in ITSI]

Which of the following is a recommended best practice for service and glass table design?

1. A. Plan and implement services first, then build detailed glass tables.
2. B. Always use the standard icons for glass table widgets to improve portability.
3. C. Start with base searches, then services, and then glass tables.
4. D. Design glass tables first to discover which KPIs are important.

Correct Answer: A
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/GTOverview
A is the correct answer because it is recommended to plan and implement services first, then build detailed glass tables that reflect the service hierarchy and dependencies. This way, you can ensure that your glass tables provide accurate and meaningful service-level insights. Building glass tables first might lead to unnecessary or irrelevant KPIs that do not align with your service goals. References: Splunk IT Service Intelligence Service Design Best Practices

There are two Smart Mode configuration settings that control how fields affect grouping. Which of these is correct?

1. A. Text deviation and category deviation.
2. B. Text similarity and category deviation.
3. C. Text similarity and category similarity.
4. D. Text deviation and category similarity.

Correct Answer: C
In the context of Smart Mode configuration within Splunk IT Service Intelligence (ITSI), the two settings that control how fields affect grouping are "Text similarity" and "Category similarity." Smart Mode is a feature used in event grouping that leverages machine learning to automatically group related events. "Text similarity" refers to how closely the textual content of event fields must match for those events to be grouped together, taking into account commonalities in strings or narratives within the event data. "Category similarity," on the other hand, relates to the similarity in the categorical attributes of events, such as event types or source types, which helps in clustering events that are similar in nature or origin. Both of these settings are crucial in determining how events are grouped in ITSI, influencing the granularity and relevance of the event groupings based on textual and categorical similarities.

Which step is required to install ITSI on a single Search Head?

1. A. Untar the ITSI package in <splunk home>/etc/apps
2. B. Run splunk_apply shcluster-bundle
3. C. Use the Splunk -> Manage Apps Dashboard to download and install.
4. D. All of the above.

Correct Answer: C
To install Splunk IT Service Intelligence (ITSI) on a single Search Head, one of the straightforward methods is to use the Splunk Web interface, specifically the "Manage Apps" dashboard, to download and install ITSI. This method is user-friendly and does not require manual file handling or command-line operations. By navigating to "Manage Apps" in the Splunk Web interface, users can find ITSI in the app repository or upload the ITSI installation package if it has been downloaded previously. From there, the installation process is initiated through the Splunk Web interface, simplifying the setup process. This approach ensures that the installation follows Splunk's standard app installation procedures, helping to avoid common installation errors and ensuring that ITSI is correctly integrated into the Splunk environment.

In maintenance mode, which features of KPIs still function?

1. A. KPI searches will execute but will be buffered until the maintenance window is over.
2. B. KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.
3. C. New KPIs can be created, but existing KPIs are locked.
4. D. KPI calculations and threshold settings can be modified.

Correct Answer: A
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work. This gives the system an opportunity to catch up with the maintenance state and reduces the chances of ITSI generating false positives during maintenance operations.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW
A is the correct answer because KPI searches still run during maintenance mode, but the results are buffered until the maintenance window is over. This means that no alerts are triggered during maintenance mode, but once it ends, the buffered results are processed and alerts are generated if necessary. You cannot create new KPIs or modify existing KPIs during maintenance mode. References: [Overview of maintenance windows in ITSI]