For Entity Cohesion anomaly detection in Splunk IT Service Intelligence (ITSI), the minimum number of entities a KPI must be split by is 2. Entity Cohesion as a method of anomaly detection focuses on identifying anomalies based on the deviation of an entity's behavior in comparison to other entities within the same group or cohort. By requiring a minimum of only two entities, ITSI allows for the comparison of entities to detect significant deviations in one entity's performance or behavior, which could indicate potential issues. This method leverages the idea that entities performing similar functions or within the same service should exhibit similar patterns of behavior, and significant deviations could be indicative of anomalies. The low minimum requirement of two entities ensures that this powerful anomaly detection feature can be utilized even in smaller environments.
Questions 5
Which of the following describes entities? (Choose all that apply.)
Options:
A.
Entities must be IT devices, such as routers and switches, and must be identified by either IP value, host name, or mac address.
B.
An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service.
C.
Multiple entities can share the same alias value, but must have different role values.
D.
To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities in Service”.
Reference: [Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/KPIfilter, Entities are IT components that require management to deliver an IT service. Each entity has specific attributes and relationships to other IT processes that uniquely identify it. Entities contain alias fields and informational fields that ITSI associates with indexed events. Some statements that describe entities are:, B. An abstract (pseudo/logical) entity can be used to split by for a KPI, although no entity rules or filtering can be used to limit data to a specific service. An abstract entity is an entity that does not represent a physical host or device, but rather a logical grouping of data sources. For example, you can create an abstract entity for each business unit in your organization and use it to split by for a KPI that measures revenue or customer satisfaction. However, you cannot use entity rules or filtering to limit data to a specific service based on abstract entities, because they do not have alias fields that match indexed events., D. To automatically restrict the KPI to only the entities in a particular service, select “Filter to Entities in Service”. This option allows you to filter the data sources for a KPI by the entities that are assigned to the service. For example, if you have a service for web servers and you want to monitor the CPU load percent for each web server entity, you can select this option to ensure that only the events from those entities are used for the KPI calculation., References: Overview of entity integrations in ITSI, [Create KPI base searches in ITSI], ]
Search results are processed, created, and written to the itsi_summary index via an alert action.
Reference: [Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/BaseSearch, D is the correct answer because KPI search results are stored in the itsi_summary index in ITSI. This index is an events index that stores the results of scheduled KPI searches. Summary indexing lets you run fast searches over large data sets by spreading out the cost of a computationally expensive report over time. References: Overview of ITSI indexes]
Questions 7
Which of the following is a valid type of Multi-KPI Alert?
Reference: [Reference: https://docs.splunk.com/Documentation/ITSI/4.10.2/SI/MKA, B is the correct answer because value over time is a valid type of Multi-KPI Alert in ITSI. A Multi-KPI Alert is a type of alert that triggers when multiple KPIs from one or more services meet certain conditions within a specified time range. Value over time is a condition that compares the current value of a KPI to its previous values over a specified time range. For example, you can create a Multi-KPI Alert that triggers when the CPU usage and memory usage of a service are both higher than their average values in the last 24 hours. References: [Create Multi-KPI alerts in ITSI], [Multi-KPI alert conditions in ITSI]]
