Splunk splk-3002 practice test

Splunk IT Service Intelligence Certified Admin Exam

Last exam update: Dec 15 ,2024
Page 1 out of 3. Viewing questions 1-15 out of 53

Question 1

Which of the following describes enabling smart mode for an aggregation policy?

  • A. Configure –> Policies –> Smart Mode –> Enable, select “fields”, click “Save”
  • B. Enable grouping in Notable Event Review, select “Smart Mode”, select “fields”, and click “Save”
  • C. Edit the aggregation policy, enable smart mode, select fields to analyze, click “Save”
  • D. Edit the notable event view, enable smart mode, select “fields”, and click “Save”
Answer:

A


Explanation:
1. From the ITSI main menu, clickConfiguration>Notable Event Aggregation Policies.
2. Select a custom policy or the Default Policy.
3. Under Smart Mode grouping, enableSmart Mode.
4. ClickSelect fields. A dialog displays the fields found in your notable events from the last 24 hours.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/SmartMode

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following best describes a default deep dive?

  • A. It initially shows the health scores for all services.
  • B. It initially shows the highest importance KPIs.
  • C. It initially shows all of the KPIs for a selected service.
  • D. It initially shows all the entity swim lanes.
Answer:

D


Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/DeepDives

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Which index contains ITSI Episodes?

  • A. itsi_tracked_alerts
  • B. itsi_grouped_alerts
  • C. itsi_notable_archive
  • D. itsi_summary
Answer:

C


Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/IndexOverview

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

In maintenance mode, which features of KPIs still function?

  • A. KPI searches will execute but will be buffered until the maintenance window is over.
  • B. KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.
  • C. New KPIs can be created, but existing KPIs are locked.
  • D. KPI calculations and threshold settings can be modified.
Answer:

A


Explanation:
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and
after you start and stop your maintenance work. This gives the system an opportunity to catch up
with the maintenance state and reduces the chances of ITSI generating false positives during
maintenance operations.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Within a correlation search, dynamic field values can be specified with what syntax?

  • A. fieldname
  • B. <fieldname /fieldname>
  • C. %fieldname%
  • D. eval(fieldname)
Answer:

A


Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Searchindexes

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Besides creating notable events, what are the default alert actions a correlation search can execute?
(Choose all that apply.)

  • A. Ping a host.
  • B. Send email.
  • C. Include in RSS feed.
  • D. Run a script.
Answer:

B, C, D


Explanation:
Throttling applies to any correlation search alert type, including notable events and actions (RSS
feed, email, run script, and ticketing).
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/ConfigCS

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which capabilities are enabled through “teams”?

  • A. Teams allow searches against the itsi_summary index.
  • B. Teams restrict notable event alert actions.
  • C. Teams restrict searches against the itsi_notable_audit index.
  • D. Teams allow restrictions to service content in UI views.
Answer:

A


Explanation:
Teams provide presentation-layer security only and not data-level security. It's still possible for a user
with access to the Splunk search bar to look up ITSI summary index data.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/ServicePerms

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which of the following describes a way to delete multiple duplicate entities in ITSI?

  • A. Via c CSV upload.
  • B. Via the entity lister page.
  • C. Via a search using the | deleteentity command.
  • D. All of the above.
Answer:

A


Explanation:
Import entities from CSV files that contain one or more entity definitions. Importing entities from
CSV files is an efficient way to define multiple entities.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Entity/ImportCSV

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which ITSI functions generate notable events? (Choose all that apply.)

  • A. KPI threshold breaches.
  • B. KPI anomaly detection.
  • C. Multi-KPI alert.
  • D. Correlation search.
Answer:

A, B, D


Explanation:
After you configure KPI thresholds, you can set up alerts to notify you when aggregate KPI severities
change. ITSI generates notable events in Episode Review based on the alerting rules you configure.
Anomaly detection generates notable events when a KPI IT Service Intelligence (ITSI) deviates from
an expected pattern.
Notable events are typically generated by a correlation search.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIthresholds
https://docs.splunk.com/Documentation/ITSI/4.10.1/SI/AboutSI

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Where are KPI search results stored?

  • A. The default index.
  • B. KV Store.
  • C. Output to a CSV lookup.
  • D. The itsi_summary index.
Answer:

D


Explanation:
Search results are processed, created, and written to the itsi_summary index via an alert action.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which index is used to store KPI values?

  • A. itsi_summary_metrics
  • B. itsi_metrics
  • C. itsi_service_health
  • D. itsi_summary
Answer:

A


Explanation:
The IT Service Intelligence (ITSI) metrics summary index,itsi_summary_metrics, is a metrics-based
summary index that stores KPI data.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/MetricsIndexRef

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Anomaly detection can be enabled on which one of the following?

  • A. KPI
  • B. Multi-KPI alert
  • C. Entity
  • D. Service
Answer:

A


Explanation:
Enable anomaly detection to identify trends and outliers in KPI search results that might indicate an
issue with your system.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/AD

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

What are valid considerations when designing an ITSI Service? (Choose all that apply.)

  • A. Service access control requirements for ITSI Team Access should be considered, and appropriate teams provisioned prior to creating the ITSI Service.
  • B. Entities, entity meta-data, and entity rules should be planned carefully to support the service design and configuration.
  • C. Services, entities, and saved searches are stored in the ITSI app, while events created by KPI execution are stored in the itsi_summary index.
  • D. Backfill of a KPI should always be selected so historical data points can be used immediately and alerts based on that data can occur.
Answer:

A, C


Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/ImplementPerms

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Which of the following are deployment recommendations for ITSI? (Choose all that apply.)

  • A. Deployments often require an increase of hardware resources above base Splunk requirements.
  • B. Deployments require a dedicated ITSI search head.
  • C. Deployments may increase the number of required indexers based on the number of KPI searches.
  • D. Deployments should use fastest possible disk arrays for indexers.
Answer:

A, B, C


Explanation:
You might need to increase the hardware specifications of your own Enterprise Security deployment
above the minimum hardware requirements depending on your environment.
Install Splunk Enterprise Security on a dedicated search head or search head cluster.
The Splunk platform uses indexers to scale horizontally. The number of indexers required in an
Enterprise Security deployment varies based on the data volume, data type, retention requirements,
search type, and search concurrency.
Reference:
https://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which of the following is a recommended best practice for service and glass table design?

  • A. Plan and implement services first, then build detailed glass tables.
  • B. Always use the standard icons for glass table widgets to improve portability.
  • C. Start with base searches, then services, and then glass tables.
  • D. Design glass tables first to discover which KPIs are important.
Answer:

D


Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/GTOverview

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2