Free Splunk SPLK-3002 Exam Dumps

B is the correct answer because ITSI episodes are stored in the itsi_grouped_alerts index. This index contains notable events that have been grouped together based on predefined aggregation policies. Episodes help you reduce alert noise and focus on resolving incidents faster. Reference: [Overview of episodes in ITSI]

In a distributed Splunk Enterprise deployment running Splunk IT Service Intelligence (ITSI), the SA IndexCreation app is responsible for creating the necessary custom indexes (such as itsi_summary, itsi_notable, etc.) that ITSI uses to store metrics and notable events. These indexes must exist on the indexer layer because indexers are the only Splunk instance type that can actually host and write indexed data. Therefore, SA IndexCreation is installed on all indexers in the deployment to ensure that the index definitions are present wherever indexed data is stored. Meanwhile, the main ITSI app (which contains the UI, KPI scheduling, service modeling, analytics, and anomaly detection) is installed on search heads since search heads orchestrate searches across the distributed environment and provide ITSI's interactive features. Universal forwarders and heavy forwarders are not appropriate targets for SA IndexCreation because forwarders do not host writable index locations for ITSI summary and notable event indexes. Thus, the correct installation pattern for SA IndexCreation in a distributed environment is on both the indexers and search heads, enabling proper index definition and search functionality across the deployment.