Splunk SPLK-3002 Splunk IT Service Intelligence Certified Admin Exam Online Training
Splunk SPLK-3002 Online Training
The questions for SPLK-3002 were last updated at May 05,2024.
- Exam Code: SPLK-3002
- Exam Name: Splunk IT Service Intelligence Certified Admin Exam
- Certification Provider: Splunk
- Latest update: May 05,2024
Which of the following are deployment recommendations for ITSI? (Choose all that apply.)
- A . Deployments often require an increase of hardware resources above base Splunk requirements.
- B . Deployments require a dedicated ITSI search head.
- C . Deployments may increase the number of required indexers based on the number of KPI searches.
- D . Deployments should use fastest possible disk arrays for indexers.
A,B,C
Explanation:
You might need to increase the hardware specifications of your own Enterprise Security deployment above the minimum hardware requirements depending on your environment. Install Splunk Enterprise Security on a dedicated search head or search head cluster. The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.
Reference: https://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning
Besides creating notable events, what are the default alert actions a correlation search can execute? (Choose all that apply.)
- A . Ping a host.
- B . Send email.
- C . Include in RSS feed.
- D . Run a script.
B,C,D
Explanation:
Throttling applies to any correlation search alert type, including notable events and actions (RSS feed, email, run script, and ticketing).
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/ConfigCS
Which of the following describes entities? (Choose all that apply.)
- A . Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.
- B . An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.
- C . Multiple entities can share the same alias value, but must have different role values.
- D . To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities in Service”.
D
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter
Which of the following is a characteristic of base searches?
- A . Search expression, entity splitting rules, and thresholds are configured at the base search level.
- B . It is possible to filter to entities assigned to the service for calculating the metrics for the service’s KPIs.
- C . The fewer KPIs that share a common base search, the more efficiency a base search provides, and anomaly detection is more efficient.
- D . The base search will execute whether or not a KPI needs it.
B
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch
In maintenance mode, which features of KPIs still function?
- A . KPI searches will execute but will be buffered until the maintenance window is over.
- B . KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.
- C . New KPIs can be created, but existing KPIs are locked.
- D . KPI calculations and threshold settings can be modified.
A
Explanation:
It’s a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work. This gives the system an opportunity to catch up with the maintenance state and reduces the chances of ITSI generating false positives during maintenance operations.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW
Where are KPI search results stored?
- A . The default index.
- B . KV Store.
- C . Output to a CSV lookup.
- D . The itsi_summary index.
D
Explanation:
Search results are processed, created, and written to the itsi_summary index via an alert action.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch
Which of the following is an advantage of using adaptive time thresholds?
- A . Automatically update thresholds daily to manage dynamic changes to KPI values.
- B . Automatically adjust KPI calculation to manage dynamic event data.
- C . Automatically adjust aggregation policy grouping to manage escalating severity.
- D . Automatically adjust correlation search thresholds to adjust sensitivity over time.
A
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/TimePolicies
Which of the following are the default ports that must be configured on Splunk to use ITSI?
- A . SplunkWeb (8405), SplunkD (8519), and HTTP Collector (8628)
- B . SplunkWeb (8089), SplunkD (8088), and HTTP Collector (8000)
- C . SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088)
- D . SplunkWeb (8088), SplunkD (8089), and HTTP Collector (8000)
C
Explanation:
Reference: https://splunk.github.io/docker-splunk/ARCHITECTURE.html
Which of the following items describe ITSI Backup and Restore functionality? (Choose all that apply.)
- A . A pre-configured default ITSI backup job is provided that can be modified, but not deleted.
- B . ITSI backup is inclusive of KV Store, ITSI Configurations, and index dependencies.
- C . kvstore_to_json.py can be used in scripts or command line to backup ITSI for full or partial backups.
- D . ITSI backups are stored as a collection of JSON formatted files.
C,D
Explanation:
ITSI provides a kvstore_to_json.py script that lets you backup/restore ITSI configuration data, perform bulk service KPI operations, apply time zone offsets for ITSI objects, and regenerate KPI search schedules.
When you run a backup job, ITSI saves your data to a set of JSON files compressed into a single ZIP file.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/kvstorejson
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/BackupandRestoreITSIconfi g
When creating a custom deep dive, what color are services/KPIs in maintenance mode within the topology view?
- A . Gray
- B . Purple
- C . Gear Icon
- D . Blue
A
Explanation:
Services, entities, and KPIs that are fully or partially impacted by a maintenance window appear in a dark gray color on pages that display health scores, including service analyzers, service and entity details pages, glass tables, multi-KPI alerts, and deep dives.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW