Exact2Pass
When in maintenance mode, which of the following is accurate?
Once the window is over, KPIs and notable events will begin to be generated again.
KPIs are shown in blue while in maintenance mode.
Maintenance mode slots are scheduled on a per hour basis.
Service health scores and KPI events are deleted until the window is over.
Which of the following is a characteristic of notable event groups?
Notable event groups combine independent notable events.
Notable event groups are created in the itsi_tracked_alerts index.
Notable event groups allow users to adjust threshold settings.
All of the above.
In Splunk IT Service Intelligence (ITSI), notable event groups are used to logically group related notable events, which enhances the manageability and analysis of events:
A.Notable event groups combine independent notable events:This characteristic allows for the aggregation of related events into a single group, making it easier for users to manage and investigate related issues. By grouping events, users can focus on the broader context of an issue rather than getting lost in the details of individual events.
While notable event groups play a critical role in organizing and managing events in ITSI, they do not inherently allow users to adjust threshold settings, which is typically handled at the KPI or service level. Additionally, while notable event groups are utilized within the ITSI framework, the statement that they are created in the 'itsi_tracked_alerts' index might not fully capture the complexity of how event groups are managed and stored within the ITSI architecture.
Which scenario would benefit most by implementing ITSI?
Monitoring of business services functionality.
Monitoring of system hardware.
Monitoring of system process statuses
Monitoring of retail sales metrics.
Which of the following is a good use case for a Multi-KPI alert?
Alerting when the values of two or more KPIs go into maintenance mode.
Alerting when the trend of two or more KPIs indicates service failure is imminent.
Alerting when two or more KPIs are deviating from their typical pattern.
Alerting when comparing the values of two or more KPIs indicates an unusual condition is occurring.
A Multi-KPI alert in Splunk IT Service Intelligence (ITSI) is designed to trigger based on the conditions of multiple Key Performance Indicators (KPIs). This type of alert is particularly useful when a single KPI's state is not sufficient to indicate an issue, but the correlation between multiple KPIs can provide a clearer picture of an emerging problem. The best use case for a Multi-KPI alert is therefore when comparing the values of two or more KPIs indicates an unusual condition is occurring. This allows for more nuanced and context-rich alerting mechanisms that can identify complex issues not detectable by monitoring individual KPIs. This approach isbeneficial in complex environments where the interplay between different performance metrics needs to be considered to accurately detect and diagnose issues.
Which of the following services often has KPIs but no entities?
Security Service.
Network Service.
Business Service.
Technical Service.
In the context of Splunk IT Service Intelligence (ITSI), a Business Service often has Key Performance Indicators (KPIs) but might not have directly associated entities. Business Services represent high-level aggregations of organizational functions or processes and are typically measured by KPIs that reflect the performance of underlying technical services or components rather than direct infrastructure entities. For example, a Business Service might monitor overall transaction completion times or customer satisfaction scores, which are abstracted from the specific technical entities that underlie these metrics. This abstraction allows Business Services to provide a business-centric view of IT health and performance, focusing on outcomes rather than specific technical components.
What should be considered when onboarding data into a Splunk index, assuming that ITSI will need to use this data?
Use | stats functions in custom fields to prepare the data for KPI calculations.
Check if the data could leverage pre-built KPIs from modules, then use the correct TA to onboard the data.
Make sure that all fields conform to CIM, then use the corresponding module to import related services.
Plan to build as many data models as possible for ITSI to leverage
What happens when an anomaly is detected?
A separate correlation search needs to be created in order to see it.
A SNMP trap will be sent.
An anomaly alert will appear in core splunk, in index=main.
An anomaly alert will appear as a notable event in Episode Review.
When an anomaly is detected in Splunk IT Service Intelligence (ITSI), it typically generates a notable event that can be reviewed and managed in the Episode Review dashboard. The Episode Review is part of ITSI's Event Analytics framework and serves as a centralized location for reviewing, annotating, and managing notable events, including those generated by anomaly detection. This process enables IT operators and analysts to efficiently identify, prioritize, and respond to potential issues highlighted by the anomaly alerts. The integration of anomaly alerts into the Episode Review dashboard streamlines the workflow for managing and investigating these alerts within the broader context of IT service management and operational intelligence.
Which of the following items apply to anomaly detection? (Choose all that apply.)
Use AD on KPIs that have an unestablished baseline of data points. This allows the ML pattern to perform it’s magic.
A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis.
Anomaly detection automatically generates notable events when KPI data diverges from the pattern.
There are 3 types of anomaly detection supported in ITSI: adhoc, trending, and cohesive.
Which of the following can generate notable events?
Through ad-hoc search results which get processed by adaptive thresholds.
When two entity aliases have a matching value.
Through scheduled correlation searches which link to their respective services.
Manually selected using the Notable Event Review panel.
Notable events in Splunk IT Service Intelligence (ITSI) are primarily generated through scheduled correlation searches. These searches are designed to monitor data for specific conditions or patterns defined by the ITSI administrator, and when these conditions are met, a notable event is created. These correlation searches are often linked to specific services or groups of services, allowing for targeted monitoring and alerting based on the operational needs of those services. This mechanism enables ITSI to provide timely and relevant alerts that can be further investigated and managed through the Episode Review dashboard, facilitating efficient incident response and management within the IT environment.
Which of the following describes entities? (Choose all that apply.)
Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.
An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.
Multiple entities can share the same alias value, but must have different role values.
To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities in Service”.
Which of the following is a best practice when configuring maintenance windows?
Disable any glass tables that reference a KPI that is part of an open maintenance window.
Develop a strategy for configuring a service’s notable event generation when the service’s maintenance window is open.
Give the maintenance window a buffer, for example, 15 minutes before and after actual maintenance work.
Change the color of services and entities that are part of an open maintenance window in the service analyzer.
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work.
When working with a notable event group in the Notable Events Review dashboard, which of the following can be set at the individual or group level?
Service, status, owner.
Severity, status, owner.
Severity, comments, service.
Severity, status, service.
In the Notable Events Review dashboard within Splunk IT Service Intelligence (ITSI), when working with a notable event group, users can set or adjust certain attributes at the individual event level or at the group level. These attributes include:
These settings allow for effective management and tracking of notable events, ensuring that they are appropriately prioritized, acted upon, and resolved by the responsible parties.
In distributed search, which components need to be installed on instances other than the search head?
SA-IndexCreation and SA-ITSI-Licensechecker on indexers.
SA-IndexCreation and SA-ITOA on indexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.
SA-IndexCreation on idexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.
SA-ITSI-Licensechecker on indexers.
SA-IndexCreation is required on all indexers. For non-clustered, distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers.
Which of the following applies when configuring time policies for KPI thresholds?
A person can only configure 24 policies, one for each hour of the day.
They are great if you expect normal behavior at 1:00 to be different than normal behavior at 5:00
If a person expects a KPI to change significantly through a cycle on a daily basis, don’t use it.
It is possible for multiple time policies to overlap.
Time policies are user-defined threshold values to be used at different times of the day or week to account for changing KPI workloads. Time policies accommodate normal variations in usage across your services and improve the accuracy of KPI and service health scores. For example, if your organization’s peak activity is during the standard work week, you might create a KPI threshold time policy that accounts for higher levels of usage during work hours, and lower levels of usage during off-hours and weekends. The statement that applies when configuring time policies for KPI thresholds is:
The other statements do not apply because:
References: Create time-based static KPI thresholds in ITSI
After ITSI is initially deployed for the operations department at a large company, another department would like to use ITSI but wants to keep their information private from the operations group. How can this be achieved?
Create service templates for each group and create the services from the templates.
Create teams for each department and assign KPIs to each team.
Create services for each group and set the permissions of the services to restrict them to each group.
Create teams for each department and assign services to the teams.
In Splunk IT Service Intelligence (ITSI), creating teams for each department and assigning services to those teams is an effective way to segregate data and ensure that information remains private between different groups within an organization. Teams in ITSI provide a mechanism for role-based access control, allowing administrators to define which users or groups have access to specific services, KPIs, and dashboards. By setting up teams corresponding to each department and then assigning services to these teams, ITSI canaccommodate multi-departmental use within the same instance while maintaining strict access controls. This ensures that each department can only view and interact with the data and services relevant to their operations, preserving confidentiality and data integrity across the organization.
Which glass table feature can be used to toggle displaying KPI values from more than one service on a single widget?
Service templates.
Service dependencies.
Ad-hoc search.
Service swapping.
In which index are active notable events stored?
itsi_notable_archive
itsi_notable_audit
itsi_tracked_alerts
itsi_tracked_groups
In Splunk IT Service Intelligence (ITSI), notable events are created and managed within the context of its Event Analytics framework. These notable events are stored in theitsi_tracked_alertsindex. This index is specifically designed to hold the active notable events that are generated by ITSI's correlation searches, which are based on the conditions defined for various services and their KPIs. Notable events are essentially alerts or issues that need to be investigated and resolved. Theitsi_tracked_alertsindex enables efficient storage, querying, and management of these events, facilitating the ITSI's event management and review process. The other options, such asitsi_notable_archiveanditsi_notable_audit, serve different purposes, such as archiving resolved notable events and auditing changes to notable event configurations, respectively. Therefore, the correct answer for where active notable events are stored is theitsi_tracked_alertsindex.
Which of the following items describe ITSI teams? (select all that apply)
Teams should have itoa admin roles added with read-only permissions for services and entities.
Services should be assigned to the 'global' team if all users need access to it.
By default, all services are owned by the built-in 'global' team and administered by the 'itoa_admin' role.
A new team admin role should be created for each team. The new role should inherit the 'itoa_team_admin' role.
In Splunk IT Service Intelligence (ITSI), teams are used to organize services, KPIs, and other objects within ITSI to facilitate access control and management:
B.Services should be assigned to the 'global' team if all users need access to it:The 'global' team in ITSI is a built-in concept that denotes universal accessibility. Assigning services to the 'global' team makes them accessible to all ITSI users, irrespective of their specific team memberships. This is useful for services that are relevant across the entire organization.
C.By default, all services are owned by the built-in 'global' team and administered by the 'itoa_admin' role:This default setting ensures that upon creation, services are accessible to administrators and can be further re-assigned or refined for access by specific teams as needed.
D.A new team admin role should be created for each team. The new role should inherit the 'itoa_team_admin' role:This best practice allows for granular access control and management within teams. Each team can have its own administrators with the appropriate level of access and permissions tailored to the needs of that team, derived from the capabilities of the 'itoa_team_admin' role.
The concept of adding 'itoa admin roles' with read-only permissions contradicts the typical use case for administrative roles, which usually require more than read-only access to manage services and entities effectively.
Which of the following is a recommended best practice for ITSI installation?
ITSI should not be installed on search heads that have Enterprise Security installed.
Before installing ITSI, make sure the Common Information Model (CIM) is installed.
Install the Machine Learning Toolkit app if anomaly detection must be configured.
Install ITSI on one search head in a search head cluster and migrate the configuration bundle to other search heads.
One of the recommended best practices for Splunk IT Service Intelligence (ITSI) installation is to avoid installing ITSI on search heads that already have Splunk Enterprise Security (ES) installed. This recommendation stems from potential resource conflicts and performance issues that can arise when both resource-intensive applications are deployed on the same instance. Both ITSI and ES are complex applications that require significant system resources to function effectively, and running them concurrently on the same search head can lead to degraded performance, conflicts in resource allocation, and potential stability issues. It's generally advised to segregate these applications onto separate Splunk instances to ensure optimal performance and stability for both platforms.
Which index contains ITSI Episodes?
itsi_tracked_alerts
itsi_grouped_alerts
itsi_notable_archive
itsi_summary
What is an episode?
A workflow task.
A deep dive.
A notable event group.
A notable event.
It's a deduplicated group of notable events occurring as part of a larger sequence, or an incident or period considered in isolation.
How do you automatically restrict a KPI to only the entities in its service, and generate KPI values for each entity?
Select “Yes” for both “Split by Entity” and “Filter to Entities in Service”.
Select “No” for “Split by Entity” and “Yes” for “Filter to Entities in Service”.
Select “Yes” for “Split by Entity” and “No” for “Filter to Entities in Service”.
Select “No” for both “Split by Entity” and “Filter to Entities in Service”.
What is the minimum number of entities a KPI must be split by in order to use Entity Cohesion anomaly detection?
3
4
5
2
For Entity Cohesion anomaly detection in Splunk IT Service Intelligence (ITSI), the minimum number of entities a KPI must be split by is 2. Entity Cohesion as a method of anomaly detection focuses on identifying anomalies based on the deviation of an entity's behavior in comparison to other entities within the same group or cohort. By requiring a minimum of only two entities, ITSI allows for the comparison of entities to detect significant deviations in one entity's performance or behavior, which could indicate potential issues. This method leverages the idea that entities performing similar functions or within the same service should exhibit similar patterns of behavior, and significant deviations could be indicative of anomalies. The low minimum requirement of two entities ensures that this powerful anomaly detection feature can be utilized even in smaller environments.
What is the range for a normal Service Health score category?
20-40
40-60
60-80
80-100
In Splunk IT Service Intelligence (ITSI), the Service Health Score is a metric that provides a quantifiable measure of the overall health and performance of a service. The score ranges from 0 to 100, with higher scores indicating better health. The range for a normal Service Health score category is typically from 80 to 100. Scores within this range suggest that the service is performing well, with no significant issues affecting its health. This categorization helps IT and business stakeholders quickly assess the operational status of their services, enabling them to focus on services that may require attention or intervention due to lower health scores.