Splunk IT Service Intelligence Certified Admin SPLK-3002 Release Date

Splunk ITSI offers two built‑in anomaly detection algorithms:TrendingandEntity Cohesion. TheTrendingalgorithm works on theaggregate KPI series, comparing recent KPI behavior with its historical pattern to detect unusual trending patterns over time. It doesnotevaluate behavior across separate entities within the KPI split — it simply looks at deviations from historical trends in the combined KPI values. On the other hand, theEntity Cohesionalgorithm is specifically designed to detect when entities that are expected to behave similarly begin to diverge in behavior. When a KPI is split by entity (for example, multiple servers, locations, or service tiers), Entity Cohesion normalizes each entity’s time series and compares them against each other. If one entity’s pattern differs significantly from the group’s patterns, it is flagged as an anomaly. This matches the “paired monitoring requirement” of producing an alert whenone entity in the KPI is not behaving similarly to the other entities. The option describing entity cohesion paired with that requirement reflects the correct use case for this algorithm in ITSI. Neither trending anomaly detection nor entity cohesion anomaly detection is intended to detect multiple KPIs deviating at the service level — such cross‑KPI alerts are handled by other alerting constructs like multi‑KPI alerts or correlation searches, not these specific anomaly algorithms.

In Splunk IT Service Intelligence (ITSI), notable events are created and managed within the context of its Event Analytics framework. These notable events are stored in theitsi_tracked_alertsindex. This index is specifically designed to hold the active notable events that are generated by ITSI's correlation searches, which are based on the conditions defined for various services and their KPIs. Notable events are essentially alerts or issues that need to be investigated and resolved. Theitsi_tracked_alertsindex enables efficient storage, querying, and management of these events, facilitating the ITSI's event management and review process. The other options, such asitsi_notable_archiveanditsi_notable_audit, serve different purposes, such as archiving resolved notable events and auditing changes to notable event configurations, respectively. Therefore, the correct answer for where active notable events are stored is theitsi_tracked_alertsindex.