Free Splunk SPLK-3002 Exam Dumps May 2026

B is the correct answer because adaptive thresholding is a feature of ITSI that allows you to dynamically adjust KPI thresholds based on historical patterns and trends. Adaptive thresholding requires a time buffer of at least 15 minutes to calculate the thresholds based on the previous data points. The time buffer ensures that there is enough data to perform the calculations and avoid false positives or negatives. Reference:Configure adaptive thresholding for a KPI in ITSI

An ITSI Glass Table provides a customizable, high-level view that can display a system's topology overlaid with real-time Key Performance Indicator (KPI) metrics and service health scores. This visualization tool allows users to create a visual representation of their IT infrastructure, applications, and services, integrating live data to monitor the health and performance of each component in context. The ability to overlay KPI metrics on the system topology enables IT and business stakeholders to quickly understand the operational status and health of various elements within their environment, facilitating more informed decision-making and rapid response to issues.

B is the correct answer because ITSI episodes are stored in the itsi_grouped_alerts index. This index contains notable events that have been grouped together based on predefined aggregation policies. Episodes help you reduce alert noise and focus on resolving incidents faster. Reference: [Overview of episodes in ITSI]

In a distributed Splunk Enterprise deployment running Splunk IT Service Intelligence (ITSI), the SA IndexCreation app is responsible for creating the necessary custom indexes (such as itsi_summary, itsi_notable, etc.) that ITSI uses to store metrics and notable events. These indexes must exist on the indexer layer because indexers are the only Splunk instance type that can actually host and write indexed data. Therefore, SA IndexCreation is installed on all indexers in the deployment to ensure that the index definitions are present wherever indexed data is stored. Meanwhile, the main ITSI app (which contains the UI, KPI scheduling, service modeling, analytics, and anomaly detection) is installed on search heads since search heads orchestrate searches across the distributed environment and provide ITSI's interactive features. Universal forwarders and heavy forwarders are not appropriate targets for SA IndexCreation because forwarders do not host writable index locations for ITSI summary and notable event indexes. Thus, the correct installation pattern for SA IndexCreation in a distributed environment is on both the indexers and search heads, enabling proper index definition and search functionality across the deployment.