Which of the following is the best use case for configuring a Multi-KPI Alert?
D
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA
A multi-KPI alert is a type of correlation search that is based on defined trigger conditions for two or
more KPIs. When trigger conditions occur simultaneously for each KPI, the search generates a
notable event. For example, you might create a multi-KPI alert based on two common KPIs: CPU load
percent and web requests. A sudden simultaneous spike in both CPU load percent and web request
KPIs might indicate a DDOS (Distributed Denial of Service) attack. Multi-KPI alerts can bring such
trending behaviors to your attention early, so that you can take action to minimize any impact on
performance. Multi-KPI alerts are useful for correlating the status of multiple KPIs across multiple
services. They help you identify causal relationships, investigate root cause, and provide insights into
behaviors across your infrastructure. The best use case for configuring a multi-KPI alert is to raise an
alert when one or more KPIs indicate an outage is occurring, such as when the service health score
drops below a certain threshold or when multiple KPIs have critical severity levels. Reference:
Create
multi-KPI alerts in ITSI
In distributed search, which components need to be installed on instances other than the search
head?
A
Explanation:
SA-IndexCreation is required on all indexers. For non-clustered, distributed environments, copy SA-
IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD
In distributed search, the components that need to be installed on instances other than the search
head are SA-IndexCreation and SA-ITSI-Licensechecker on indexers. SA-IndexCreation is an add-on
that creates the indexes required by ITSI, such as itsi_summary and itsi_tracked_alerts. SA-ITSI-
Licensechecker is an add-on that monitors the license usage of ITSI and generates alerts when the
license limit is exceeded or about to expire. These components need to be installed on indexers
because they handle the data ingestion and storage functions for ITSI. The other components, such
as ITSI app and SA-ITOA, need to be installed on the search head(s) because they handle the search
management and presentation functions for ITSI. Reference:
Install IT Service Intelligence in a
distributed environment
When deploying ITSI on a distributed Splunk installation, which component must be installed on the
search head(s)?
B
Explanation:
Install SA-ITSI-Licensechecker and SA-UserAccess on any license master in a distributed or search
head cluster environment. If a search head in your environment is also a license master, the license
master components are installed when you install ITSI on the search heads.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Install/InstallDD
When deploying ITSI on a distributed Splunk installation, the component that must be installed on
the search head(s) is the ITSI app. The ITSI app contains the main features and functionality of ITSI,
such as service creation and management, KPI configuration, glass table creation and editing,
episode review, deep dives, and so on. The ITSI app also contains some add-ons that provide
additional functionality, such as SA-ITOA (IT Operations Analytics), SA-UserAccess (User Access
Management), and SA-Utils (Utility Functions). The ITSI app must be installed on the search head(s)
because it handles the search management and presentation functions for ITSI. Reference:
Install IT
Service Intelligence in a distributed environment
Which of the following describes entities? (Choose all that apply.)
BD
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter
Entities are IT components that require management to deliver an IT service. Each entity has specific
attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields
and informational fields that ITSI associates with indexed events. Some statements that describe
entities are:
B) An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or
filtering can be used to limit data to a specific service. An abstract entity is an entity that does not
represent a physical host or device, but rather a logical grouping of data sources. For example, you
can create an abstract entity for each business unit in your organization and use it to split by for a KPI
that measures revenue or customer satisfaction. However, you cannot use entity rules or filtering to
limit data to a specific service based on abstract entities, because they do not have alias fields that
match indexed events.
D) To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities
in Service”. This option allows you to filter the data sources for a KPI by the entities that are assigned
to the service. For example, if you have a service for web servers and you want to monitor the CPU
load percent for each web server entity, you can select this option to ensure that only the events
from those entities are used for the KPI calculation.
Reference:
Overview of entity integrations in ITSI
, [Create KPI base searches in ITSI]
Which of the following describes a realistic troubleshooting workflow in ITSI?
B
Explanation:
A realistic troubleshooting workflow in ITSI is:
B) Service Analyzer –> Notable Event Review –> Deep Dive
This workflow involves using the Service Analyzer dashboard to monitor the health and performance
of your services and KPIs, using the Notable Event Review dashboard to investigate and manage the
notable events generated by ITSI, and using the Deep Dive dashboard to analyze the historical trends
and anomalies of your KPIs and metrics.
The other workflows are not realistic because they involve components that are not part of the
troubleshooting process, such as correlation search, aggregation policy, and KPI. These components
are used to create and configure the alerts and episodes that ITSI generates, not to investigate and
resolve them. Reference: [Service Analyzer dashboard in ITSI],
Overview of Episode Review in ITSI
,
[Overview of deep dives in ITSI]
Which of the following accurately describes base searches used for KPIs in a service?
A
Explanation:
KPI base searches let you share a search definition across multiple KPIs in IT Service Intelligence
(ITSI). Create base searches to consolidate multiple similar KPIs, reduce search load, and improve
search performance.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch
A base search is a search definition that can be shared across multiple KPIs that use the same data
source. Base searches can improve search performance and reduce search load by consolidating
multiple similar KPIs. The statement that accurately describes base searches used for KPIs in a
service is:
A) Base searches can be used for multiple services. This means that you can create a base search for
a service and use it for other services that have similar data sources and KPIs. For example, if you
have multiple services that monitor web server performance, you can create a base search that
queries the web server logs and use it for all the services that need to calculate KPIs based on those
logs.
Which scenario would benefit most by implementing ITSI?
A
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/AboutSI
Splunk IT Service Intelligence (ITSI) is a monitoring and analytics solution that uses artificial
intelligence and machine learning to provide insights into the health and performance of IT services.
ITSI lets you create services that represent the critical components of your IT infrastructure, such as
applications, databases, servers, networks, and so on. You can then monitor the status and
performance of these services using key performance indicators (KPIs), which are metrics that
measure aspects of service health, such as availability, latency, error rate, and so on. ITSI also
provides tools for visualizing, investigating, and alerting on service issues, such as service analyzers,
glass tables, deep dives, episode review, and so on. The scenario that would benefit most by
implementing ITSI is monitoring of business service functionality, because ITSI enables you to
measure and improve the quality and reliability of your IT services and align them with your business
objectives. Reference:
What is Splunk IT Service Intelligence?
ITSI Saved Search Scheduling is configured to use realtime_schedule = 0. Which statement is accurate
about this configuration?
B
Explanation:
ITSI Saved Search Scheduling is a feature that allows you to schedule searches that run periodically to
populate the data for your KPIs. You can configure various settings for your scheduled searches, such
as the search frequency, the time range, the cron expression, and so on. One of the settings is
realtime_schedule, which controls the way the scheduler computes the next execution time of a
scheduled search. The statement that is accurate about this configuration is:
B) If this value is set to 0, the scheduler bases its determination of the next scheduled search on the
last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips
scheduled execution periods. However, the execution of the saved search might fall behind
depending on the scheduler’s load. Use continuous scheduling whenever you enable the summary
index option.
The other statements are not accurate because:
A) If this value is set to 0, the scheduler bases its determination of the next scheduled search
execution time on the current time. This is not true because this is what happens when the value is
set to 1, not 0.
C) If this value is set to 0, the scheduler may skip scheduled execution periods. This is not true
because this is what happens when the value is set to 1, not 0.
D) If this value is set to 0, the scheduler might skip some execution periods to make sure that the
scheduler is executing the searches running over the most recent time range. This is not true because
this is what happens when the value is set to 1, not 0.
Reference:
Create KPI base searches in ITSI
,
Rrealtime_schedule in SavedSearches.conf
What effects does the KPI importance weight of 11 have on the overall health score of a service?
B
Explanation:
Reference:
https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIImportance#:~:text=ITSI%20considers%2
0KPIs%20that%20have,other%20KPIs%20in%20the%20service
The KPI importance weight is a value that indicates how much a KPI contributes to the overall health
score of a service. The importance weight can range from 1 (lowest) to 10 (highest). The statement
that applies when configuring a KPI importance weight of 11 is:
B) Importance weight is unused for health scoring. This is true because an importance weight of 11 is
invalid and cannot be used for health scoring. The maximum value for importance weight is 10.
The other statements do not apply because:
A) At least 10% of the KPIs will go critical. This is not true because an importance weight of 11 does
not affect the severity level of any KPIs.
C) The service will go critical. This is not true because an importance weight of 11 does not affect the
health score or status of any service.
D) It is a minimum health indicator KPI. This is not true because an importance weight of 11 does not
indicate anything about the minimum health level of a KPI.
Reference:
Set KPI importance values in ITSI
Which of the following is an advantage of using adaptive time thresholds?
A
Explanation:
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/TimePolicies
Adaptive thresholds are thresholds calculated by machine learning algorithms that dynamically
adapt and change based on the KPI’s observed behavior. Adaptive thresholds are useful for
monitoring KPIs that have unpredictable or seasonal patterns that are difficult to capture with static
thresholds. For example, you might use adaptive thresholds for a KPI that measures web traffic
volume, which can vary depending on factors such as holidays, promotions, events, and so on. The
advantage of using adaptive thresholds is:
A) Automatically update thresholds daily to manage dynamic changes to KPI values. This is true
because adaptive thresholds use historical data from a training window to generate threshold values
for each time block in a threshold template. Each night at midnight, ITSI recalculates adaptive
threshold values for a KPI by organizing the data from the training window into distinct buckets and
then analyzing each bucket separately. This way, the thresholds reflect the most recent changes in
the KPI data and account for any anomalies or trends.
The other options are not advantages of using adaptive thresholds because:
B) Automatically adjust KPI calculation to manage dynamic event data. This is not true because
adaptive thresholds do not affect the KPI calculation, which is based on the base search and the
aggregation method. Adaptive thresholds only affect the threshold values that are used to determine
the KPI severity level.
C) Automatically adjust aggregation policy grouping to manage escalating severity. This is not true
because adaptive thresholds do not affect the aggregation policy, which is a set of rules that
determines how to group notable events into episodes. Adaptive thresholds only affect the threshold
values that are used to generate notable events based on KPI severity level.
D) Automatically adjust correlation search thresholds to adjust sensitivity over time. This is not true
because adaptive thresholds do not affect the correlation search, which is a search that looks for
relationships between data points and generates notable events. Adaptive thresholds only affect the
threshold values that are used by KPIs, which can be used as inputs for correlation searches.
Reference:
Create adaptive KPI thresholds in ITSI