Splunk SPLK-3002 Practice Test - Questions Answers, Page 5

After you configure KPI thresholds, you can set up alerts to notify you when aggregate KPI severities change. ITSI generates notable events in Episode Review based on the alerting rules you configure.

Anomaly detection generates notable events when a KPI IT Service Intelligence (ITSI) deviates from an expected pattern.

Notable events are typically generated by a correlation search.

https://docs.splunk.com/Documentation/ITSI/4.10.1/SI/AboutSI

A, B, and D are correct answers because ITSI can generate notable events when a KPI breaches a threshold, when a KPI detects an anomaly, or when a correlation search matches a defined pattern. These are the main ways that ITSI can alert you to potential issues or incidents in your IT environment.

Reference:Configure KPI thresholds in ITSI,Apply anomaly detection to a KPI in ITSI,Generate events with correlation searches in ITSI

D is the correct answer because ITSI provides multiple ways to delete multiple duplicate entities. You can use a CSV upload to overwrite existing entities with new or updated information, or delete them by setting the action field to delete. You can also use the entity lister page to select multiple entities and delete them in bulk. Alternatively, you can use a search command called | deleteentity to delete entities that match certain criteria.

Reference:Create and update entities using a CSV file in ITSI,Delete entities in bulk in ITSI,Delete entities using the | deleteentity command in ITSI

D is the correct answer because teams allow you to restrict access to service content in UI views such as service analyzers, glass tables, deep dives, and episode review. Teams also control access to services and KPIs for editing and viewing purposes. Teams do not affect the ability to search against the itsi_summary index, restrict notable event alert actions, or restrict searches against the itsi_notable_audit index.

Reference:Overview of teams in ITSI

Throttling applies to any correlation search alert type, including notable events and actions (RSS feed, email, run script, and ticketing).

B, C, and D are correct answers because they are the default alert actions that a correlation search can execute besides creating notable events. You can configure a correlation search to send an email, include the results in an RSS feed, or run a custom script when the search matches a defined pattern. Ping a host is not a default alert action for correlation searches.

Reference:Configure correlation search settings in ITSI

B is the correct answer because dynamic field values can be specified with <fieldname /fieldname> syntax within a correlation search. This syntax allows you to insert values from fields returned by the correlation search into alert actions such as email subject or body. For example, <host /host> inserts the value of the host field into the email.

Reference: [Use dynamic field values in correlation searches in ITSI]

It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work. This gives the system an opportunity to catch up with the maintenance state and reduces the chances of ITSI generating false positives during maintenance operations.

A is the correct answer because KPI searches still run during maintenance mode, but the results are buffered until the maintenance window is over. This means that no alerts are triggered during maintenance mode, but once it ends, the buffered results are processed and alerts are generated if necessary. You cannot create new KPIs or modify existing KPIs during maintenance mode.

Reference: [Overview of maintenance windows in ITSI]

B is the correct answer because ITSI episodes are stored in the itsi_grouped_alerts index. This index contains notable events that have been grouped together based on predefined aggregation policies. Episodes help you reduce alert noise and focus on resolving incidents faster.

Reference: [Overview of episodes in ITSI]

C is the correct answer because a default deep dive initially shows all of the KPIs for a selected service. You can create a default deep dive by drilling down from another dashboard or by selecting a service from the deep dive lister page. A default deep dive does not show health scores, importance scores, or entity swim lanes by default.

Reference: [Create default deep dives for services in ITSI]

1. From the ITSI main menu, clickConfiguration>Notable Event Aggregation Policies.

2. Select a custom policy or the Default Policy.

3. Under Smart Mode grouping, enableSmart Mode.

4. ClickSelect fields. A dialog displays the fields found in your notable events from the last 24 hours.

C is the correct answer because smart mode is a feature of aggregation policies that allows ITSI to automatically group notable events based on the fields that have the most impact on the event occurrence. You can enable smart mode for an aggregation policy by editing the policy, selecting the smart mode option, and choosing the fields to analyze. You can also specify a minimum number of events to trigger smart mode and a maximum number of groups to create.

Reference:Configure smart mode for aggregation policies in ITSI