Which of the following are characteristics of service templates? (select all that apply)

1. A. Service templates can be modified after services are instantiated from it.
2. B. Service templates contain KPIs and KPI thresholds.
3. C. Service templates can contain specific or generic entity rules.
4. D. Service templates contain domain specific dashboards and deep dives.

Correct Answer: BC
Service templates in Splunk IT Service Intelligence (ITSI) are designed to streamline the creation of services by providing pre-defined configurations:
* B.Service templates contain KPIs and KPI thresholds:This allows for the standardized deployment of services with predefined performance indicators and their associated thresholds, ensuring consistency across similar services.
* C.Service templates can contain specific or generic entity rules:These rules define how entities are associated with services created from the template, allowing for both broad and targeted applicability.
While service templates contain configurations for KPIs, thresholds, and entity rules, the ability to modify templates after services have been instantiated from them is limited. Changes to a template do not retroactively affect services already created from that template. Moreover, service templates do not inherently contain domain-specific dashboards or deep dives; these are created separately within ITSI.

What are valid ITSI Glass Table editor capabilities? (Choose all that apply.)

1. A. Creating glass tables.
2. B. Correlation search creation.
3. C. Service swapping configuration.
4. D. Adding KPI metric lanes to glass tables.

Correct Answer: ACD
Create a glass table to visualize and monitor the interrelationships and dependencies across your IT and business services.
The service swapping settings are saved and apply the next time you open the glass table. You can add metrics like KPIs, ad hoc searches, and service health scores that update in real time against a background that you design. Glass tables show real-time data generated by KPIs and services.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/GTOverview
The glass table editor is a tool that allows you to create and edit glass tables in ITSI. Some of the capabilities of the glass table editor are:
Creating glass tables from scratch or from existing templates.
Configuring service swapping on widgets to toggle displaying metrics from different services.
Adding KPI metric lanes to glass tables to show historical trends of KPI values.
The glass table editor does not support correlation search creation, which is a separate feature in ITSI that allows you to create searches that look for relationships between data points and generate notable events. References: Overview of the glass table editor in ITSI,
[Configure service swapping on glass tables], [Add KPI metric lanes to glass tables], [Overview of correlation searches in ITSI]

In maintenance mode, which features of KPIs still function?

1. A. KPI searches will execute but will be buffered until the maintenance window is over.
2. B. KPI searches still run during maintenance mode, but results go to itsi_maintenance_summary index.
3. C. New KPIs can be created, but existing KPIs are locked.
4. D. KPI calculations and threshold settings can be modified.

Correct Answer: A
It's a best practice to schedule maintenance windows with a 15- to 30-minute time buffer before and after you start and stop your maintenance work. This gives the system an opportunity to catch up with the maintenance state and reduces the chances of ITSI generating false positives during maintenance operations.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/Configure/AboutMW
A is the correct answer because KPI searches still run during maintenance mode, but the results are buffered until the maintenance window is over. This means that no alerts are triggered during maintenance mode, but once it ends, the buffered results are processed and alerts are generated if necessary. You cannot create new KPIs or modify existing KPIs during maintenance mode. References: [Overview of maintenance windows in ITSI]

Which of the following are deployment recommendations for ITSI? (Choose all that apply.)

1. A. Deployments often require an increase of hardware resources above base Splunk requirements.
2. B. Deployments require a dedicated ITSI search head.
3. C. Deployments may increase the number of required indexers based on the number of KPI searches.
4. D. Deployments should use fastest possible disk arrays for indexers.

Correct Answer: ABC
You might need to increase the hardware specifications of your own Enterprise Security
deployment above the minimum hardware requirements depending on your environment. Install Splunk Enterprise Security on a dedicated search head or search head cluster.
The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.
Reference: https://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning
A, B, and C are correct answers because ITSI deployments often require more hardware resources than base Splunk requirements due to the high volume of data ingestion and processing. ITSI deployments also require a dedicated search head that runs the ITSI app and handles all ITSI-related searches and dashboards. ITSI deployments may also increase the number of required indexers based on the number and frequency of KPI searches, which can generate a large amount of summary data. References: ITSI deployment overview, ITSI deployment planning

What is an episode?

1. A. A workflow task.
2. B. A deep dive.
3. C. A notable event group.
4. D. A notable event.

Correct Answer: C
It's a deduplicated group of notable events occurring as part of a larger sequence, or an incident or period considered in isolation.
Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/EpisodeOverview
An episode is a deduplicated group of notable events occurring as part of a larger sequence, or an incident or period considered in isolation. An episode helps you reduce alert noise and focus on the most important issues affecting your IT services. An episode is created by an aggregation policy, which is a set of rules that determines how to group notable events based on certain criteria, such as severity, source, title, and so on. You can use episode review to view, manage, and resolve episodes in ITSI. The statement that defines an episode is:
* C. A notable event group. This is true because an episode is composed of one or more notable events that are related by some common factor.
The other options are not definitions of an episode because:
* A. A workflow task. This is not true because a workflow task is an action that you can perform on an episode, such as assigning an owner, changing the status, adding comments, and so on.
* B. A deep dive. This is not true because a deep dive is a dashboard that allows you to analyze the historical trends and anomalies of your KPIs and metrics in ITSI.
* D. A notable event. This is not true because a notable event is an alert generated by ITSI based on certain conditions or correlations, not a group of alerts.
References: [Overview of Episode Review in ITSI], [Overview of aggregation policies in ITSI]