Splunk splk-3002 practice test

Splunk IT Service Intelligence Certified Admin Exam

Last exam update: May 15 ,2024
Page 1 out of 4. Viewing questions 1-15 out of 53

Question 1

When in maintenance mode, which of the following is accurate?

  • A. Once the window is over, KPIs and notable events will begin to be generated again.
  • B. KPIs are shown in blue while in maintenance mode.
  • C. Maintenance mode slots are scheduled on a per hour basis.
  • D. Service health scores and KPI events are deleted until the window is over.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/REBestPractice

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

When must a service define entity rules?

  • A. If the intention is for the KPIs in the service to filter to only entities assigned to the service.
  • B. To enable entity cohesion anomaly detection.
  • C. If some or all of the KPIs in the service will be split by entity.
  • D. If the intention is for the KPIs in the service to have different aggregate vs. entity KPI values.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Provide a value to filter the service to a specific set of entities. These entity rule values are meant to
be custom for each service.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/EntityRules

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Which of the following is a valid type of Multi-KPI Alert?

  • A. Score over composite.
  • B. Value over time.
  • C. Status over time.
  • D. Rise over run.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

When installing ITSI to support a Distributed Search Architecture, which of the following items apply?
(Choose all that apply.)

  • A. Copy SA-IndexCreation to all indexers.
  • B. Copy SA-IndexCreation to the etc/apps directory on the index cluster master node.
  • C. Extract installer package into etc/apps directory of the cluster deployer node.
  • D. Extract ITSI app package into etc/apps directory of search head.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
CopySA-IndexCreationto$SPLUNK_HOME/etc/apps/on all individual indexers in your environment.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallSHC

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which of the following items describe ITSI Backup and Restore functionality? (Choose all that apply.)

  • A. A pre-configured default ITSI backup job is provided that can be modified, but not deleted.
  • B. ITSI backup is inclusive of KV Store, ITSI Configurations, and index dependencies.
  • C. kvstore_to_json.py can be used in scripts or command line to backup ITSI for full or partial backups.
  • D. ITSI backups are stored as a collection of JSON formatted files.
Mark Question:
Answer:

C, D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
ITSI provides akvstore_to_json.pyscript that lets you backup/restore ITSI configuration data,
perform bulk service KPI operations, apply time zone offsets for ITSI objects, and regenerate KPI
search schedules.
When you run a backup job, ITSI saves your data to a set of JSON files compressed into a single ZIP
file.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/kvstorejson
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/BackupandRestoreITSIconfig

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

How do you automatically restrict a KPI to only the entities in its service, and generate KPI values for
each entity?

  • A. Select “Yes” for both “Split by Entity” and “Filter to Entities in Service”.
  • B. Select “No” for “Split by Entity” and “Yes” for “Filter to Entities in Service”.
  • C. Select “Yes” for “Split by Entity” and “No” for “Filter to Entities in Service”.
  • D. Select “No” for both “Split by Entity” and “Filter to Entities in Service”.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

There are two departments using ITSI. Finance and Sales. Analysts in each department should not be
allowed to see each others services. What are the role configuration steps required to accomplish
this?

  • A. itoa_finance_admin, inherited from itoa_admin; itoa_sales_admin, inherited from itoa_team_admin; itoa_finance_analyst, inherited from itoa_analyst; itoa_sales_analyst, inherited from itoa_analyst.
  • B. itoa_finance_admin, inherited from itoa_admin; itoa_sales_admin, inherited from itoa_team_admin; itoa_finance_analyst, inherited from itoa_team_analyst; itoa_sales_analyst, inherited from itoa_team_analyst.
  • C. itoa_finance_admin, inherited from itoa_admin; itoa_sales_admin, inherited from itoa_team_admin; itoa_finance_analyst, inherited from itoa_analyst; itoa_sales_analyst, inherited from itoa_team_analyst.
  • D. itoa_finance_admin, inherited from itoa_team_admin; itoa_sales_admin, inherited from itoa_team_admin; itoa_finance_analyst, inherited from itoa_analyst; itoa_sales_analyst, inherited from itoa_analyst.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

For which ITSI function is it a best practice to use a 15-30 minute time buffer?

  • A. Correlation searches.
  • B. Adaptive thresholding.
  • C. Maintenance windows
  • D. Anomaly detection.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and
after you start and stop your maintenance work. This gives the system an opportunity to catch up
with the maintenance state and reduces the chances of ITSI generating false positives during
maintenance operations.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is a good use case regarding defining entities for a service?

  • A. Automatically associate entities to services using multiple entity aliases.
  • B. All of the entities have the same identifying field name.
  • C. Being able to split a CPU usage KPI by host name.
  • D. KPI total values are aggregated from multiple different category values in the source events.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Define entities before creating services. When you configure a service, you can specify entity
matching rules based on entity aliases that automatically add the entities to your service.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Entity/About

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following are the default ports that must be configured on Splunk to use ITSI?

  • A. SplunkWeb (8405), SplunkD (8519), and HTTP Collector (8628)
  • B. SplunkWeb (8089), SplunkD (8088), and HTTP Collector (8000)
  • C. SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088)
  • D. SplunkWeb (8088), SplunkD (8089), and HTTP Collector (8000)
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://splunk.github.io/docker-splunk/ARCHITECTURE.html

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following describes enabling smart mode for an aggregation policy?

  • A. Configure –> Policies –> Smart Mode –> Enable, select “fields”, click “Save”
  • B. Enable grouping in Notable Event Review, select “Smart Mode”, select “fields”, and click “Save”
  • C. Edit the aggregation policy, enable smart mode, select fields to analyze, click “Save”
  • D. Edit the notable event view, enable smart mode, select “fields”, and click “Save”
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
1. From the ITSI main menu, clickConfiguration>Notable Event Aggregation Policies.
2. Select a custom policy or the Default Policy.
3. Under Smart Mode grouping, enableSmart Mode.
4. ClickSelect fields. A dialog displays the fields found in your notable events from the last 24 hours.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/SmartMode

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following best describes a default deep dive?

  • A. It initially shows the health scores for all services.
  • B. It initially shows the highest importance KPIs.
  • C. It initially shows all of the KPIs for a selected service.
  • D. It initially shows all the entity swim lanes.
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/DeepDives

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Which index contains ITSI Episodes?

  • A. itsi_tracked_alerts
  • B. itsi_grouped_alerts
  • C. itsi_notable_archive
  • D. itsi_summary
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/IndexOverview

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

In maintenance mode, which features of KPIs still function?

  • A. KPI searches will execute but will be buffered until the maintenance window is over.
  • B. KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.
  • C. New KPIs can be created, but existing KPIs are locked.
  • D. KPI calculations and threshold settings can be modified.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and
after you start and stop your maintenance work. This gives the system an opportunity to catch up
with the maintenance state and reduces the chances of ITSI generating false positives during
maintenance operations.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Within a correlation search, dynamic field values can be specified with what syntax?

  • A. fieldname
  • B. <fieldname /fieldname>
  • C. %fieldname%
  • D. eval(fieldname)
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Searchindexes

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2