Which of the following describes entities? (Choose all that apply.)

1. A. Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.
2. B. An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.
3. C. Multiple entities can share the same alias value, but must have different role values.
4. D. To automatically restrict the KPI to only the entities in a particular service, select ??Filter to Entities in Service??.

Correct Answer: BD
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter
Entities are IT components that require management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields and informational fields that ITSI associates with indexed events. Some statements that describe entities are:
* B. An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service. An abstract entity is an entity that does not represent a physical host or device, but rather a logical grouping of data sources. For example, you can create an abstract entity for each business unit in your organization and use it to split by for a KPI that measures revenue or customer satisfaction. However, you cannot use entity rules or filtering to limit data to a specific service based on abstract entities, because they do not have alias fields that match indexed events.
* D. To automatically restrict the KPI to only the entities in a particular service, select ??Filter to Entities in Service??. This option allows you to filter the data sources for a KPI by the entities that are assigned to the service. For example, if you have a service for web servers and you want to monitor the CPU load percent for each web server entity, you can select this option to ensure that only the events from those entities are used for the KPI calculation.
References: Overview of entity integrations in ITSI, [Create KPI base searches in ITSI]

What is the default importance value for dependent services?? health scores?

1. A. 11
2. B. 1
3. C. Unassigned
4. D. 10

Correct Answer: D
By default, impacting service health scores have an importance value of 11.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/Dependencies
A service template is a predefined set of KPIs and entity rules that you can apply to a service or a group of services. A service template helps you standardize the configuration and monitoring of similar services across your IT environment. A service template can also include dependent services, which are services that are required for another service to function properly. For example, a web server service might depend on a database service and a network service. The default importance value for dependent services?? health scores is:
* D. 10. This is true because the importance value indicates how much a dependent service contributes to the health score of the parent service. The default value is 10, which means that the dependent service has the highest impact on the parent service??s healthscore. You can change the importance value of a dependent service in the service template settings.
The other options are not correct because:
* A. 11. This is not true because 11 is an invalid value for importance. The valid range is from 1 (lowest) to 10 (highest).
* B. 1. This is not true because 1 is the lowest value for importance, not the default value. A value of 1 means that the dependent service has the lowest impact on the parent service??s health score.
* C. Unassigned. This is not true because every dependent service has an assigned importance value, which defaults to 10.
References: Create and manage service templates in ITSI, Set KPI importance values in ITSI

Which of the following is a characteristic of notable event groups?

1. A. Notable event groups combine independent notable events.
2. B. Notable event groups are created in the itsi_tracked_alerts index.
3. C. Notable event groups allow users to adjust threshold settings.
4. D. All of the above.

Correct Answer: A
In Splunk IT Service Intelligence (ITSI), notable event groups are used to logically group related notable events, which enhances the manageability and analysis of events:
A.Notable event groups combine independent notable events:This characteristic allows for the aggregation of related events into a single group, making it easier for users to manage and investigate related issues. By grouping events, users can focus on the broader context of an issue rather than getting lost in the details of individual events.
While notable event groups play a critical role in organizing and managing events in ITSI, they do not inherently allow users to adjust threshold settings, which is typically handled at the KPI or service level. Additionally, while notable event groups are utilized within the ITSI framework, the statement that they are created in the 'itsi_tracked_alerts' index might not fully capture the complexity of how event groups are managed and stored within the ITSI architecture.

Which of the following is a good use case for creating a custom module?

1. A. Modules are required to create entity and service import searches.
2. B. Modules are required to be able to create custom visualizations for deep dives.
3. C. Making it easy to migrate KPI base searches and related visualizations to other ITSI installations.
4. D. Creating a service template to make it easy to automatically create new services during service and entity import.

Correct Answer: C
Creating a custom module in Splunk IT Service Intelligence (ITSI) is particularly beneficial for the purpose of migrating KPI base searches and related visualizations to other ITSI installations. Custom modules can encapsulate a set of configurations, searches, and visualizations that are tailored to specific monitoring needs or environments. By packaging these elements into a module, it becomes easier to transfer, deploy, and maintain consistency across different ITSI instances. This modularity supports the reuse of developed components, simplifying the process of scaling and replicating monitoring setups in diverse operational contexts. The ability to migrate these components seamlessly enhances operational efficiency and ensures that best practices and custom configurations can be shared across an organization's ITSI deployments.

Which of the following items apply to anomaly detection? (Choose all that apply.)

1. A. Use AD on KPIs that have an unestablished baseline of data point
2. B. This allows the ML pattern to perform it??s magic.
3. C. A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis.
4. D. Anomaly detection automatically generates notable events when KPI data diverges fromthe pattern.
5. E. There are 3 types of anomaly detection supported in ITSI: adhoc, trending, and cohesive.

Correct Answer: BC
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/AD
Anomaly detection is a feature of ITSI that uses machine learning to detect when KPI data deviates from a normal pattern. The following items apply to anomaly detection:
* B. A minimum of 24 hours of data is needed for anomaly detection, and a minimum of 4 entities for cohesive analysis. This ensures that there is enough data to establish a baseline pattern and compare different entities within a service.
* C. Anomaly detection automatically generates notable events when KPI data diverges from the pattern. You can configure the sensitivity and severity of the anomaly detection alerts and assign them to episodes or teams. References: [Anomaly Detection]