Splunk SPLK-3002 Exam Questions

Questions for the SPLK-3002 were updated on : Oct 11 ,2024

Page 1 out of 4. Viewing questions 1-15 out of 53

Question 1

After a notable event has been closed, how long will the meta data for that event remain in the KV
Store by default?

  • A. 6 months.
  • B. 9 months.
  • C. 1 year.
  • D. 3 months.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
By default, notable event metadata is archived after six months to keep the KV store from growing
too large.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/TrimNECollections

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following is a best practice for identifying the most effective services with which to start
an iterative ITSI deployment?

  • A. Only include KPIs if they will be used in multiple services.
  • B. Analyze the business to determine the most critical services.
  • C. Focus on low-level services.
  • D. Define a large number of key services early.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

When creating a custom deep dive, what color are services/KPIs in maintenance mode within the
topology view?

  • A. Gray
  • B. Purple
  • C. Gear Icon
  • D. Blue
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Services, entities, and KPIs that are fully or partially impacted by a maintenance window appear in a
dark gray color on pages that display health scores, including service analyzers, service and entity
details pages, glass tables, multi-KPI alerts, and deep dives.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which deep dive swim lane type does not require writing SPL?

  • A. Event lane.
  • B. Automatic lane.
  • C. Metric lane.
  • D. KPI lane.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Among all the search configurations, automatic lane doesnt need to be written in Splunk Processing
language.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which of the following items apply to anomaly detection? (Choose all that apply.)

  • A. Use AD on KPIs that have an unestablished baseline of data points. This allows the ML pattern to perform its magic.
  • B. A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis.
  • C. Anomaly detection automatically generates notable events when KPI data diverges from the pattern.
  • D. There are 3 types of anomaly detection supported in ITSI: adhoc, trending, and cohesive.
Answer:

B, C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/AD

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which of the following is a best practice when configuring maintenance windows?

  • A. Disable any glass tables that reference a KPI that is part of an open maintenance window.
  • B. Develop a strategy for configuring a services notable event generation when the services maintenance window is open.
  • C. Give the maintenance window a buffer, for example, 15 minutes before and after actual maintenance work.
  • D. Change the color of services and entities that are part of an open maintenance window in the service analyzer.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and
after you start and stop your maintenance work.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

In Episode Review, what is the result of clicking an episode’s Acknowledge button?

  • A. Assign the current user as owner.
  • B. Change status from New to Acknowledged.
  • C. Change status from New to In Progress and assign the current user as owner.
  • D. Change status from New to Acknowledged and assign the current user as owner.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
When an episode warrants investigation, the analyst acknowledges the episode, which moves the
status fromNewtoIn Progress.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/EpisodeOverview

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which glass table feature can be used to toggle displaying KPI values from more than one service on
a single widget?

  • A. Service templates.
  • B. Service dependencies.
  • C. Ad-hoc search.
  • D. Service swapping.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/Visualizations#collapseDesktop8

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is a characteristic of base searches?

  • A. Search expression, entity splitting rules, and thresholds are configured at the base search level.
  • B. It is possible to filter to entities assigned to the service for calculating the metrics for the services KPIs.
  • C. The fewer KPIs that share a common base search, the more efficiency a base search provides, and anomaly detection is more efficient.
  • D. The base search will execute whether or not a KPI needs it.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

What are valid ITSI Glass Table editor capabilities? (Choose all that apply.)

  • A. Creating glass tables.
  • B. Correlation search creation.
  • C. Service swapping configuration.
  • D. Adding KPI metric lanes to glass tables.
Answer:

A, C, D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Create a glass table to visualize and monitor the interrelationships and dependencies across your IT
and business services.
The service swapping settings are saved and apply the next time you open the glass table.
You can add metrics like KPIs, ad hoc searches, and service health scores that update in real time
against a background that you design. Glass tables show real-time data generated by KPIs and
services.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/GTOverview

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following is the best use case for configuring a Multi-KPI Alert?

  • A. Comparing content between two notable events.
  • B. Using machine learning to evaluate when data falls outside of an expected pattern.
  • C. Comparing anomaly detection between two KPIs.
  • D. Raising an alert when one or more KPIs indicate an outage is occurring.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

In distributed search, which components need to be installed on instances other than the search
head?

  • A. SA-IndexCreation and SA-ITSI-Licensechecker on indexers.
  • B. SA-IndexCreation and SA-ITOA on indexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.
  • C. SA-IndexCreation on idexers; SA-ITSI-Licensechecker and SA-UserAccess on the license master.
  • D. SA-ITSI-Licensechecker on indexers.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
SA-IndexCreationis required on all indexers. For non-clustered, distributed environments, copySA-
IndexCreationto$SPLUNK_HOME/etc/apps/on individual indexers.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

When deploying ITSI on a distributed Splunk installation, which component must be installed on the
search head(s)?

  • A. SA-ITOA
  • B. ITSI app
  • C. All ITSI components
  • D. SA-ITSI-Licensechecker
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
InstallSA-ITSI-LicensecheckerandSA-UserAccesson anylicense masterin a distributed or search
head cluster environment. If a search head in your environment is also a license master, the license
master components are installed when you install ITSI on the search heads.
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Which of the following describes entities? (Choose all that apply.)

  • A. Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.
  • B. An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.
  • C. Multiple entities can share the same alias value, but must have different role values.
  • D. To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities in Service”.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which of the following describes a realistic troubleshooting workflow in ITSI?

  • A. Correlation Search –> Deep Dive –> Notable Event
  • B. Service Analyzer –> Notable Event Review –> Deep Dive
  • C. Service Analyzer –> Aggregation Policy –> Deep Dive
  • D. Correlation search –> KPI –> Aggregation Policy
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/IModules/Troubleshootingmodules

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2