Free SPLK-3002 Practice Test Questions 2026

Explanation:

Splunk explicitly recommends not installing ITSI and Enterprise Security (ES) on the same search head in production environments.

Both apps are resource-intensive (heavy on memory, CPU, and disk I/O).

They have different knowledge object management, role definitions, and macro namespaces that can conflict.

In a search head cluster, they should be installed on separate search head pools or different SHC instances.

Why the other options are incorrect or not best practices:

B. Before installing ITSI, make sure the Common Information Model (CIM) is installed

The CIM is not a prerequisite for ITSI. ITSI works without it, though using CIM can help normalize data. This is not a documented best practice for installation — it’s optional.

C. Install the Machine Learning Toolkit app if anomaly detection must be configured

ITSI includes its own built-in anomaly detection framework (based on its own algorithms, not requiring the Machine Learning Toolkit). MLTK is not required for ITSI anomaly detection, though it can be used if you want custom ML models.

D. Install ITSI on one search head in a search head cluster and migrate the configuration bundle to other search heads

Incorrect and risky. In an SHC, you install ITSI on the deployer, push to all SHC members via the deployer, and the cluster replicates configurations. Manually installing on one search head and “migrating” breaks SHC best practices and can lead to inconsistencies.

Reference:

Splunk ITSI Installation and Configuration Manual — “Do not install ITSI and Enterprise Security on the same search head in production.”

Splunk Search Head Cluster best practices — Apps must be installed via deployer, not manually on individual SHC members.

Splunk ITSI System Requirements — ML Toolkit not required for native anomaly detection.

Explanation:

In Splunk ITSI, the Service Analyzer uses visual cues to represent the relationship and health impact between services.

Solid Line
Indicates a healthy, functional dependency where data flows from the child service to the parent service to help calculate the health score.

Dotted Line
This is the specific visual indicator for a Cyclic Dependency. A cyclic dependency occurs when Service A depends on Service B, but Service B also (directly or indirectly) depends on Service A.

ITSI cannot calculate health scores accurately if the logic is circular, as it would create an infinite loop of health score updates. To resolve this, the system "breaks" the loop visually with a dotted line and ignores the impact of the dependency on the health score until the circular logic is removed.

Why the other options are incorrect
❌ Option A: If a KPI importance is set to 0, the KPI does not affect the health score, but this does not result in a dotted line in the tree view. It simply means the KPI is "Informational."

❌ Option C: Adding more dependencies will not fix a cycle; it usually complicates the topology further. To fix a cycle, you must remove the link that completes the loop.

❌ Option D: Setting KPI importance to 11 (Maximum Importance) makes that specific KPI the sole driver of the health score (if it reaches a critical state), but it has no impact on whether a dependency line is solid or dotted.

Key Concept: Service Dependencies
When Helga added the Database "Heartbeat" as a dependency for the Web Service, ITSI detected that the Database Service was already pulling data or health context from the Web Service (or a shared child).

Exam Note
Always look for the word "Cyclic" when a question mentions dotted lines in the Service Analyzer Tree View. It is a classic Splunk ITSI troubleshooting scenario.

Explanation:

You might need to increase the hardware specifications of your own Enterprise Security deployment above the minimum hardware requirements depending on your environment. Install Splunk Enterprise Security on a dedicated search head or search head cluster. The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.

Reference:

[Reference: https://docs.splunk.com/Documentation/ES/latest/Install/DeploymentPlanning, A, B, and C are correct answers because ITSI deployments often require more hardware resources than base Splunk requirements due to the high volume of data ingestion and processing. ITSI deployments also require a dedicated search head that runs the ITSI app and handles all ITSI-related searches and dashboards. ITSI deployments may also increase the number of required indexers based on the number and frequency of KPI searches, which can generate a large amount of summary data. References: ITSI deployment overview, ITSI deployment planning]

Explanation:

In Splunk IT Service Intelligence, entities represent the business or infrastructure components affected by services and incidents.

The question focuses on helping executive leadership understand business impact, not just technical infrastructure health. Executives care about:

Which stores are affected
Which products are impacted
Which payment types are failing or degraded

These entities directly connect IT issues to:

Revenue impact
Customer experience
Sales operations

So option A provides the strongest business-service visibility.

Why the other options are incorrect

B. store, season, customer age
Some business relevance exists, but:
“season” and “customer age” are not typically operational ITSI entities tied to infrastructure/service monitoring.
They are less actionable for incident response.

C. host, browser type, software version
These are primarily technical entities.
Useful for IT administrators, not executives seeking business impact visibility.

D. host, network interface, datacenter
Entirely infrastructure-focused.
Does not communicate customer or revenue impact effectively.

Key ITSI Concept

A major goal of ITSI is to map:

Technical events
→ to
Business services and outcomes

Business-oriented entities such as stores, products, and payment systems allow leadership to understand:

“How much revenue is affected?”
“Which customer channels are impacted?”
“What business capabilities are degraded?”

Explanation:

Splunk ITSI uses two primary types of anomaly detection algorithms to identify issues that static thresholds might miss. Understanding the distinction between Entity Cohesion and Trending is vital for the SPLK-3002 exam:

Entity Cohesion Anomaly Detection
How it works: It analyzes a group of entities within a single KPI simultaneously. It looks for "outliers" by comparing each entity's behavior against the collective behavior of the group (the peer group).

Requirement: This is used when you need to know if one entity is behaving differently than the others in the same group.

Data Requirement: This requires a minimum of 4 entities to function effectively.

Trending Anomaly Detection
How it works: It focuses on the historical behavior of a KPI or entity. It uses a sliding window to determine if the current behavior deviates significantly from what is "normal" based on past data (e.g., today's CPU usage vs. the last 24 hours).

Requirement: This fulfills the requirement to "produce an alert when an entity deviates from its historical behavior."

Why the other options are incorrect
Option A: Correctly describes Trending Anomaly Detection, but the question asks which algorithm fulfills the "paired" requirement provided in the list. While the description is accurate, it doesn't match the specific "entity vs. peers" logic often tested in this context.

Option C: Incorrectly pairs Trending with peer-to-peer comparison. Trending is for self-comparison over time, not entity-to-entity comparison.

Option D: Incorrectly suggests Entity Cohesion monitors multiple KPIs. Entity Cohesion monitors multiple entities within a single KPI.

Exam Reference
Splunk ITSI Documentation: Anomaly detection is configured at the KPI level. Entity Cohesion is specifically designed for environments with multiple similar entities (like a web server farm) where you expect them to act in unison. If one server spikes while others remain low, Cohesion identifies it as an anomaly.

Explanation: In Splunk IT Service Intelligence (ITSI), creating teams for each department and assigning services to those teams is an effective way to segregate data and ensure that information remains private between different groups within an organization. Teams in ITSI provide a mechanism for role-based access control, allowing administrators to define which users or groups have access to specific services, KPIs, and dashboards. By setting up teams corresponding to each department and then assigning services to these teams, ITSI canaccommodate multi-departmental use within the same instance while maintaining strict access controls. This ensures that each department can only view and interact with the data and services relevant to their operations, preserving confidentiality and data integrity across the organization.

Explanation:

Reference:

[Reference: https://splunk.github.io/docker-splunk/ARCHITECTURE.html, C is the correct answer because ITSI uses the default ports of Splunk Enterprise for its communication and data collection. SplunkWeb uses port 8000, SplunkD uses port 8089, and HTTP Event Collector uses port 8088. These ports can be changed if needed, but they must match the configuration of Splunk Enterprise. References: Ports used by ITSI]

Explanation:

By default, notable event metadata is archived after six months to keep the KV store from growing too large.

Reference:

[Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/EA/TrimNECollections, ]

C is the correct answer because smart mode is a feature of aggregation policies that allows ITSI to automatically group notable events based on the fields that have the most impact on the event occurrence. You can enable smart mode for an aggregation policy by editing the policy, selecting the smart mode option, and choosing the fields to analyze. You can also specify a minimum number of events to trigger smart mode and a maximum number of groups to create.

A is the correct answer because selecting “Yes” for both “Split by Entity” and “Filter to Entities in Service” allows you to automatically restrict a KPI to only the entities in its service and generate KPI values for each entity. Split by Entity splits the KPI search results by entity alias fields and calculates a separate KPI value for each entity. Filter to Entities in Service filters out any entities that are not part of the service from the KPI search results. This way, you can ensure that your KPI reflects only the relevant entities for your service and provides granular information for each entity.

Explanation:
In the context of Splunk IT Service Intelligence (ITSI), a Business Service often has Key Performance Indicators (KPIs) but might not have directly associated entities. Business Services represent high-level aggregations of organizational functions or processes and are typically measured by KPIs that reflect the performance of underlying technical services or components rather than direct infrastructure entities. For example, a Business Service might monitor overall transaction completion times or customer satisfaction scores, which are abstracted from the specific technical entities that underlie these metrics. This abstraction allows Business Services to provide a business-centric view of IT health and performance, focusing on outcomes rather than specific technical components.

Explanation: When setting up a new aggregation policy in Splunk IT Service Intelligence (ITSI), one of the crucial components is defining the filtering criteria. This aspect of the aggregation policy determines which events should be included in the aggregation based on specific conditions or attributes. The filtering criteria can be based on various event fields such as severity, source, event type, and other custom fields relevant to the organization's monitoring strategy. By specifying the filtering criteria, ITSI administrators can ensure that the aggregation policy is applied only to the pertinent events, thus facilitating more targeted and effective event management and reducing noise in the operational environment. This helps in organizing and prioritizing events more efficiently, enhancing the overall incident management process within ITSI.