Splunk SPLK-3002 - Splunk IT Service Intelligence Certified Admin Exam

SA-IndexCreation is required on all indexers. For non-clustered, distributed environments, copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on individual indexers.

To utilize Adaptive Thresholding in Splunk IT Service Intelligence (ITSI), the minimum requirement for a set of Key Performance Indicator (KPI) data is that it must be at least 7 days old. Adaptive Thresholding uses historical data to dynamically adjust thresholds based on observed patterns and trends. Having a minimum of 7 days worth of data allows the system to analyze a sufficient amount of information to identify normal ranges and variances in KPI behavior, thereby setting more accurate and contextually relevant thresholds. This requirement ensures that the adaptive thresholds are based on a meaningful data set that reflects the typical operational conditions of the monitored services.

A KPI lane is a type of deep dive swim lane that does not require writing SPL. You can simply select a service and a KPI from a drop-down list and ITSI will automatically populate the lane with the corresponding data. You can also adjust the threshold settings and time range for the KPI lane. References: [KPI Lanes]

In Splunk ITSI, swim lane overlays depend on a KPI beingsplit by entityso that each entity’s individual time series can be displayed separately in the Deep Dive view. When a KPI is aggregated without an entity split, it produces asingle time seriesvalue at each timestamp representing the entire group (in this case, the average CPU across all web servers). Because that KPI does not contain per‑entity values, ITSI has nothing to overlay — therefore no entity overlays appear in the Lane Overlay Options. This configuration mistake often happens when a KPI is defined to average values across sources without specifying an entity dimension on which to split results. Entity filtering is a separate feature that enables restricting which entities are considered in display or analytics and does not control availability of swim lane overlays; pseudo‑entities are artificial names that do not reflect actual system identities and are not relevant to this error; and having only three entities versus four would not prevent overlays from appearing if the KPI were correctly split by entity. The correct fix is to edit the KPI definition and configure it tosplit the metric results by the server entity field, such that each server has its own time series. This then enables Fritz to overlay the individual server CPU graphs on the swim lane as intended.

You might need to increase the hardware specifications of your own Enterprise Security deployment above the minimum hardware requirements depending on your environment.

Install Splunk Enterprise Security on a dedicated search head or search head cluster.

The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.

Create a glass table to visualize and monitor the interrelationships and dependencies across your IT and business services.

The service swapping settings are saved and apply the next time you open the glass table.

You can add metrics like KPIs, ad hoc searches, and service health scores that update in real time against a background that you design. Glass tables show real-time data generated by KPIs and services.

Copy SA-IndexCreation to $SPLUNK_HOME/etc/apps/ on all individual indexers in your environment.

Service templates in Splunk IT Service Intelligence (ITSI) are designed to streamline the creation of services by providing pre-defined configurations:

B.Service templates contain KPIs and KPI thresholds:This allows for the standardized deployment of services with predefined performance indicators and their associated thresholds, ensuring consistency across similar services.

C.Service templates can contain specific or generic entity rules:These rules define how entities are associated with services created from the template, allowing for both broad and targeted applicability.

While service templates contain configurations for KPIs, thresholds, and entity rules, the ability to modify templates after services have been instantiated from them is limited. Changes to a template do not retroactively affect services already created from that template. Moreover, service templates do not inherently contain domain-specific dashboards or deep dives; these are created separately within ITSI.