Splunk SPLK-3002 Practice Test - Questions Answers, Page 3

ITSI Saved Search Scheduling is a feature that allows you to schedule searches that run periodically to populate the data for your KPIs. You can configure various settings for your scheduled searches, such as the search frequency, the time range, the cron expression, and so on. One of the settings is realtime_schedule, which controls the way the scheduler computes the next execution time of a scheduled search. The statement that is accurate about this configuration is:

B) If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler's load. Use continuous scheduling whenever you enable the summary index option.

The other statements are not accurate because:

A) If this value is set to 0, the scheduler bases its determination of the next scheduled search execution time on the current time. This is not true because this is what happens when the value is set to 1, not 0.

C) If this value is set to 0, the scheduler may skip scheduled execution periods. This is not true because this is what happens when the value is set to 1, not 0.

D) If this value is set to 0, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. This is not true because this is what happens when the value is set to 1, not 0.

B is the correct answer because adaptive thresholding is a feature of ITSI that allows you to dynamically adjust KPI thresholds based on historical patterns and trends. Adaptive thresholding requires a time buffer of at least 15 minutes to calculate the thresholds based on the previous data points. The time buffer ensures that there is enough data to perform the calculations and avoid false positives or negatives.

Reference:Configure adaptive thresholding for a KPI in ITSI

C is the correct answer because teams are a feature of ITSI that allow you to restrict access to service content in UI views based on user roles. To create separate teams for finance and sales analysts, you need to create custom roles that inherit from the itoa_analyst role, which has read-only access to ITSI content. For example, you can create itoa_finance_analyst and itoa_sales_analyst roles that inherit from itoa_analyst. Then, you need to create custom teams that include these roles and assign them to the relevant services. For example, you can create a finance team that includes the itoa_finance_analyst role and assign it to the finance services. Similarly, you can create a sales team that includes the itoa_sales_analyst role and assign it to the sales services. This way, analysts in each department can only see their own services and not each other's.

Reference:Create teams in ITSI,Assign teams to services in ITSI

A is the correct answer because selecting ''Yes'' for both ''Split by Entity'' and ''Filter to Entities in Service'' allows you to automatically restrict a KPI to only the entities in its service and generate KPI values for each entity. Split by Entity splits the KPI search results by entity alias fields and calculates a separate KPI value for each entity. Filter to Entities in Service filters out any entities that are not part of the service from the KPI search results. This way, you can ensure that your KPI reflects only the relevant entities for your service and provides granular information for each entity.

Reference: [Configure KPI settings in ITSI]

ITSI provides akvstore_to_json.pyscript that lets you backup/restore ITSI configuration data, perform bulk service KPI operations, apply time zone offsets for ITSI objects, and regenerate KPI search schedules.

When you run a backup job, ITSI saves your data to a set of JSON files compressed into a single ZIP file.

https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/kvstorejson

https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/BackupandRestoreITSIconfig

C and D are correct answers because ITSI backup and restore functionality uses kvstore_to_json.py as a command line script or as part of custom scripts to backup ITSI data for full or partial backups. ITSI backups are also stored as a collection of JSON formatted files that contain KV store objects such as services, KPIs, glass tables, etc. A is not a correct answer because there is no pre-configured default ITSI backup job provided. You can create your own backup jobs or use the command line script or custom scripts to backup ITSI data. B is not a correct answer because ITSI backup is not inclusive of index dependencies. ITSI backup only includes KV store objects and optionally some .conf files. You need to use other methods to backup index data.

Reference: [Overview of backing up and restoring ITSI KV store data], [Create a full backup of ITSI], [Create a partial backup of ITSI]

CopySA-IndexCreationto$SPLUNK_HOME/etc/apps/on all individual indexers in your environment.

A is the correct answer because when installing ITSI to support a distributed search architecture, you need to copy SA-IndexCreation to all indexers. SA-IndexCreation is an app that contains the definitions of the ITSI indexes, such as itsi_summary, itsi_tracked_alerts, itsi_grouped_alerts, etc. You need to copy this app to all indexers to ensure that they can store and search the ITSI data. B is not a correct answer because you do not need to copy SA-IndexCreation to the etc/apps directory on the index cluster master node. The index cluster master node does not store or search data, it only manages the replication and availability of data across the index cluster peers. C is not a correct answer because you do not need to extract the installer package into etc/apps directory of the cluster deployer node. The cluster deployer node is used to distribute apps and configuration updates to the search head cluster members. You need to extract the installer package into etc/shcluster/apps directory of the cluster deployer node instead. D is not a correct answer because you do not need to extract the ITSI app package into etc/apps directory of search head. You need to extract the ITSI app package into etc/shcluster/apps directory of the cluster deployer node and use the deployer to push the app to all search head cluster members.

Reference: [Install Splunk IT Service Intelligence on a search head cluster], [Install Splunk IT Service Intelligence on an indexer cluster]

B is the correct answer because value over time is a valid type of Multi-KPI Alert in ITSI. A Multi-KPI Alert is a type of alert that triggers when multiple KPIs from one or more services meet certain conditions within a specified time range. Value over time is a condition that compares the current value of a KPI to its previous values over a specified time range. For example, you can create a Multi-KPI Alert that triggers when the CPU usage and memory usage of a service are both higher than their average values in the last 24 hours.

Reference: [Create Multi-KPI alerts in ITSI], [Multi-KPI alert conditions in ITSI]

Provide a value to filter the service to a specific set of entities. These entity rule values are meant to be custom for each service.

A is the correct answer because a service must define entity rules if the intention is for the KPIs in the service to filter to only entities assigned to the service. Entity rules are filters that match entities to services based on entity aliases or entity metadata. If you enable the Filter to Entities in Service option for a KPI, you need to define entity rules for the service to ensure that the KPI search results only include the relevant entities for the service. Otherwise, the KPI search results might include entities that are not part of the service or exclude entities that are part of the service.

Reference: [Define entities for a service in ITSI], [Configure KPI settings in ITSI]

The KPI importance weight is a value that indicates how much a KPI contributes to the overall health score of a service. The importance weight can range from 1 (lowest) to 10 (highest). The statement that applies when configuring a KPI importance weight of 11 is:

B) Importance weight is unused for health scoring. This is true because an importance weight of 11 is invalid and cannot be used for health scoring. The maximum value for importance weight is 10.

The other statements do not apply because:

A) At least 10% of the KPIs will go critical. This is not true because an importance weight of 11 does not affect the severity level of any KPIs.

C) The service will go critical. This is not true because an importance weight of 11 does not affect the health score or status of any service.

D) It is a minimum health indicator KPI. This is not true because an importance weight of 11 does not indicate anything about the minimum health level of a KPI.