After a notable event has been closed, how long will the meta data for that event remain in the KV
Store by default?
A
Explanation:
By default, notable event metadata is archived after six months to keep the KV store from growing
too large.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/TrimNECollections
Which of the following is a best practice for identifying the most effective services with which to start
an iterative ITSI deployment?
B
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA
A best practice for identifying the most effective services with which to start an iterative ITSI
deployment is to analyze the business to determine the most critical services that have the most
impact on revenue, customer satisfaction, or other key performance indicators. You can use the
Service Analyzer to prioritize and monitor these services. Reference:
Service Analyzer
When creating a custom deep dive, what color are services/KPIs in maintenance mode within the
topology view?
A
Explanation:
When creating a custom deep dive, services or KPIs that are in maintenance mode are shown in gray
color in the topology view. This indicates that they are not actively monitored and do not generate
alerts or notable events. Reference:
Deep Dives
Which deep dive swim lane type does not require writing SPL?
D
Explanation:
A KPI lane is a type of deep dive swim lane that does not require writing SPL. You can simply select a
service and a KPI from a drop-down list and ITSI will automatically populate the lane with the
corresponding data. You can also adjust the threshold settings and time range for the KPI lane.
Reference: [KPI Lanes]
Which of the following items apply to anomaly detection? (Choose all that apply.)
B, C
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/AD
Anomaly detection is a feature of ITSI that uses machine learning to detect when KPI data deviates
from a normal pattern. The following items apply to anomaly detection:
B) A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for
cohesive analysis. This ensures that there is enough data to establish a baseline pattern and compare
different entities within a service.
C) Anomaly detection automatically generates notable events when KPI data diverges from the
pattern. You can configure the sensitivity and severity of the anomaly detection alerts and assign
them to episodes or teams. Reference: [Anomaly Detection]
Which of the following is a best practice when configuring maintenance windows?
C
Explanation:
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and
after you start and stop your maintenance work.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW
A maintenance window is a period of time when a service or entity is undergoing maintenance
operations or does not require active monitoring. It is a best practice to schedule maintenance
windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance
work. This gives the system an opportunity to catch up with the maintenance state and reduces the
chances of ITSI generating false positives during maintenance operations. For example, if a server
will be shut down for maintenance at 1:00PM and restarted at 5:00PM, the ideal maintenance
window is 12:30PM to 5:30PM. The 15- to 30-minute time buffer is a rough estimate based on 15
minutes being the time period over which most KPIs are configured to search data and identify alert
triggers. Reference:
Overview of maintenance windows in ITSI
In Episode Review, what is the result of clicking an episode’s Acknowledge button?
D
Explanation:
When an episode warrants investigation, the analyst acknowledges the episode, which moves the
status from New to In Progress.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/EpisodeOverview
An episode represents a disruption of service operation causing impact to business operations. It is a
deduplicated group of notable events occurring as part of a larger sequence, or an incident or period
considered in isolation. In Episode Review, you can manage the episodes and their statuses using
various actions. One of the actions is Acknowledge, which changes the status of an episode from
New to Acknowledged and assigns the current user as the owner. This action indicates that someone
is working on resolving the episode and prevents duplicate efforts from other users.
Reference:
Overview of Episode Review in ITSI
, [Episode actions in Episode Review]
Which glass table feature can be used to toggle displaying KPI values from more than one service on
a single widget?
D
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/Visualizations#collapseDesktop8
A glass table is a visualization tool that allows you to monitor the interrelationships and
dependencies across your IT and business services. You can add metrics like KPIs, ad hoc searches,
and service health scores that update in real time against a background that you design. One of the
features of glass tables is service swapping, which enables you to toggle displaying KPI values from
more than one service on a single widget. You can use service swapping to compare metrics across
different services without creating multiple glass tables or widgets. Reference:
Overview of the glass
table editor in ITSI
, [Configure service swapping on glass tables]
Which of the following is a characteristic of base searches?
B
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch
A base search is a search definition that can be shared across multiple KPIs that use the same data
source. Base searches can improve search performance and reduce search load by consolidating
multiple similar KPIs. One of the characteristics of base searches is that it is possible to filter to
entities assigned to the service for calculating the metrics for the service’s KPIs. This means that you
can use entity filtering rules to specify which entities are relevant for each KPI based on the base
search results. Reference:
Create KPI base searches in ITSI
, [Filter entities for KPIs based on base
searches]
What are valid ITSI Glass Table editor capabilities? (Choose all that apply.)
A, C, D
Explanation:
Create a glass table to visualize and monitor the interrelationships and dependencies across your IT
and business services.
The service swapping settings are saved and apply the next time you open the glass table.
You can add metrics like KPIs, ad hoc searches, and service health scores that update in real time
against a background that you design. Glass tables show real-time data generated by KPIs and
services.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/GTOverview
The glass table editor is a tool that allows you to create and edit glass tables in ITSI. Some of the
capabilities of the glass table editor are:
Creating glass tables from scratch or from existing templates.
Configuring service swapping on widgets to toggle displaying metrics from different services.
Adding KPI metric lanes to glass tables to show historical trends of KPI values.
The glass table editor does not support correlation search creation, which is a separate feature in ITSI
that allows you to create searches that look for relationships between data points and generate
notable events. Reference:
Overview of the glass table editor in ITSI
, [Configure service swapping on
glass tables], [Add KPI metric lanes to glass tables], [Overview of correlation searches in ITSI]
Which of the following is the best use case for configuring a Multi-KPI Alert?
D
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA
A multi-KPI alert is a type of correlation search that is based on defined trigger conditions for two or
more KPIs. When trigger conditions occur simultaneously for each KPI, the search generates a
notable event. For example, you might create a multi-KPI alert based on two common KPIs: CPU load
percent and web requests. A sudden simultaneous spike in both CPU load percent and web request
KPIs might indicate a DDOS (Distributed Denial of Service) attack. Multi-KPI alerts can bring such
trending behaviors to your attention early, so that you can take action to minimize any impact on
performance. Multi-KPI alerts are useful for correlating the status of multiple KPIs across multiple
services. They help you identify causal relationships, investigate root cause, and provide insights into
behaviors across your infrastructure. The best use case for configuring a multi-KPI alert is to raise an
alert when one or more KPIs indicate an outage is occurring, such as when the service health score
drops below a certain threshold or when multiple KPIs have critical severity levels. Reference:
Create
multi-KPI alerts in ITSI
In distributed search, which components need to be installed on instances other than the search
head?
A
Explanation:
SA-IndexCreation is required on all indexers. For non-clustered, distributed environments, copy SA-
IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD
In distributed search, the components that need to be installed on instances other than the search
head are SA-IndexCreation and SA-ITSI-Licensechecker on indexers. SA-IndexCreation is an add-on
that creates the indexes required by ITSI, such as itsi_summary and itsi_tracked_alerts. SA-ITSI-
Licensechecker is an add-on that monitors the license usage of ITSI and generates alerts when the
license limit is exceeded or about to expire. These components need to be installed on indexers
because they handle the data ingestion and storage functions for ITSI. The other components, such
as ITSI app and SA-ITOA, need to be installed on the search head(s) because they handle the search
management and presentation functions for ITSI. Reference:
Install IT Service Intelligence in a
distributed environment
When deploying ITSI on a distributed Splunk installation, which component must be installed on the
search head(s)?
B
Explanation:
Install SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search
head cluster environment. If a search head in your environment is also a license master, the license
master components are installed when you install ITSI on the search heads.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD
When deploying ITSI on a distributed Splunk installation, the component that must be installed on
the search head(s) is the ITSI app. The ITSI app contains the main features and functionality of ITSI,
such as service creation and management, KPI configuration, glass table creation and editing,
episode review, deep dives, and so on. The ITSI app also contains some add-ons that provide
additional functionality, such as SA-ITOA (IT Operations Analytics), SA-UserAccess (User Access
Management), and SA-Utils (Utility Functions). The ITSI app must be installed on the search head(s)
because it handles the search management and presentation functions for ITSI. Reference:
Install IT
Service Intelligence in a distributed environment
Which of the following describes entities? (Choose all that apply.)
BD
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter
Entities are IT components that require management to deliver an IT service. Each entity has specific
attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields
and informational fields that ITSI associates with indexed events. Some statements that describe
entities are:
B) An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or
filtering can be used to limit data to a specific service. An abstract entity is an entity that does not
represent a physical host or device, but rather a logical grouping of data sources. For example, you
can create an abstract entity for each business unit in your organization and use it to split by for a KPI
that measures revenue or customer satisfaction. However, you cannot use entity rules or filtering to
limit data to a specific service based on abstract entities, because they do not have alias fields that
match indexed events.
D) To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities
in Service”. This option allows you to filter the data sources for a KPI by the entities that are assigned
to the service. For example, if you have a service for web servers and you want to monitor the CPU
load percent for each web server entity, you can select this option to ensure that only the events
from those entities are used for the KPI calculation.
Reference:
Overview of entity integrations in ITSI
, [Create KPI base searches in ITSI]
Which of the following describes a realistic troubleshooting workflow in ITSI?
B
Explanation:
A realistic troubleshooting workflow in ITSI is:
B) Service Analyzer –> Notable Event Review –> Deep Dive
This workflow involves using the Service Analyzer dashboard to monitor the health and performance
of your services and KPIs, using the Notable Event Review dashboard to investigate and manage the
notable events generated by ITSI, and using the Deep Dive dashboard to analyze the historical trends
and anomalies of your KPIs and metrics.
The other workflows are not realistic because they involve components that are not part of the
troubleshooting process, such as correlation search, aggregation policy, and KPI. These components
are used to create and configure the alerts and episodes that ITSI generates, not to investigate and
resolve them. Reference: [Service Analyzer dashboard in ITSI],
Overview of Episode Review in ITSI
,
[Overview of deep dives in ITSI]