Which of the following is an advantage of an adaptive time threshold?

1. A. Automatically alerting when KPI value patterns change over time.
2. B. Automatically adjusting thresholds as normal KPI values change over time.
3. C. Automatically adjusting to holiday schedules.
4. D. Automatically predicting future degradation of KPI values over time.

Correct Answer: B
An adaptive time threshold in the context of Splunk IT Service Intelligence (ITSI) refers to the capability of dynamically adjusting threshold values for Key Performance Indicators (KPIs) based on historical data trends and patterns. This feature allows thresholds to evolve as the 'normal' behavior of KPIs changes over time, ensuring that alerts remain relevant and reduce the likelihood of false positives or negatives. The advantage of this approach is that it accommodates for natural fluctuations in KPI values that may occur due to changes in business operations, seasonality, or other factors, without requiring manual threshold adjustments. This makes the monitoring system more resilient and responsive to actual conditions, improving the overall effectiveness of IT operations management.

Which of the following is the best use case for configuring a Multi-KPI Alert?

1. A. Comparing content between two notable events.
2. B. Using machine learning to evaluate when data falls outside of an expected pattern.
3. C. Comparing anomaly detection between two KPIs.
4. D. Raising an alert when one or more KPIs indicate an outage is occurring.

Correct Answer: D
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA
A multi-KPI alert is a type of correlation search that is based on defined trigger conditions for two or more KPIs. When trigger conditions occur simultaneously for each KPI, the search generates a notable event. For example, you might create a multi-KPI alert based on twocommon KPIs: CPU load percent and web requests. A sudden simultaneous spike in both CPU load percent and web request KPIs might indicate a DDOS (Distributed Denial of Service) attack. Multi-KPI alerts can bring such trending behaviors to your attention early, so that you can take action to minimize any impact on performance. Multi-KPI alerts are useful for correlating the status of multiple KPIs across multiple services. They help you identify causal relationships, investigate root cause, and provide insights into behaviors across your infrastructure. The best use case for configuring a multi-KPI alert is to raise an alert when one or more KPIs indicate an outage is occurring, such as when the service health score drops below a certain threshold or when multiple KPIs have critical severity
levels. References: Create multi-KPI alerts in ITSI

Which of the following describes enabling smart mode for an aggregation policy?

1. A. Configure –> Policies –> Smart Mode –> Enable, select ??fields??, click ??Save??
2. B. Enable grouping in Notable Event Review, select ??Smart Mode??, select ??fields??, and click ??Save??
3. C. Edit the aggregation policy, enable smart mode, select fields to analyze, click ??Save??
4. D. Edit the notable event view, enable smart mode, select ??fields??, and click ??Save??

Correct Answer: C
* 1. From the ITSI main menu, click Configuration > Notable Event Aggregation Policies.
* 2. Select a custom policy or the Default Policy.
* 3. Under Smart Mode grouping, enable Smart Mode.
* 4. Click Select fields. A dialog displays the fields found in your notable events from the last 24 hours.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/SmartMode
C is the correct answer because smart mode is a feature of aggregation policies that allows ITSI to automatically group notable events based on the fields that have the most impact on the event occurrence. You can enable smart mode for an aggregation policy by editing the policy, selecting the smart mode option, and choosing the fields to analyze. You can also specify a minimum number of events to trigger smart mode and a maximum number of groups to create. References: Configure smart mode for aggregation policies in ITSI

How do you automatically restrict a KPI to only the entities in its service, and generate KPI values for each entity?

1. A. Select ??Yes?? for both ??Split by Entity?? and ??Filter to Entities in Service??.
2. B. Select ??No?? for ??Split by Entity?? and ??Yes?? for ??Filter to Entities in Service??.
3. C. Select ??Yes?? for ??Split by Entity?? and ??No?? for ??Filter to Entities in Service??.
4. D. Select ??No?? for both ??Split by Entity?? and ??Filter to Entities in Service??.

Correct Answer: A

Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch
A is the correct answer because selecting ??Yes?? for both ??Split by Entity?? and ??Filter to Entities in Service?? allows you to automatically restrict a KPI to only the entities in its service and generate KPI values for each entity. Split by Entity splits the KPI search results by entity alias fields and calculates a separate KPI value for each entity. Filter to Entities in Service filters out any entities that are not part of the service from the KPI search results. This way, you can ensure that your KPI reflects only the relevant entities for your service and provides granular information for each entity. References: [Configure KPI settings in ITSI]

Which of the following is a best practice when configuring maintenance windows?

1. A. Disable any glass tables that reference a KPI that is part of an open maintenance window.
2. B. Develop a strategy for configuring a service??s notable event generation when the service??s maintenance window is open.
3. C. Give the maintenance window a buffer, for example, 15 minutes before and after actual maintenance work.
4. D. Change the color of services and entities that are part of an open maintenance window in the service analyzer.

Correct Answer: C
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW
A maintenance window is a period of time when a service or entity is undergoing maintenance operations or does not require active monitoring. It is a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work. This gives the system an opportunity to catch up with the maintenance state and reduces the chances of ITSI generating false positives during maintenance operations. For example, if a server will be shut down for maintenance at 1:00PM and restarted at 5:00PM, the ideal maintenance window is 12:30PM to 5:30PM. The 15- to 30-minute time buffer is a rough estimate based on 15 minutes being the time period over which most KPIs are configured to search data and identify alert triggers. References: Overview of maintenance windows in ITSI