100+ Free Splunk ITSI Certified Admin (SPLK-3002) Practice Questions

Pass your Splunk IT Service Intelligence Certified Admin (SPLK-3002) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which Splunk component runs the IT Service Intelligence (ITSI) app and serves the Service Analyzer, Glass Tables, and Deep Dives interface to users?

Indexer

Search head

Universal forwarder

License manager

to track

2026 Statistics

Key Facts: Splunk ITSI Certified Admin (SPLK-3002) Exam

Official Questions

Splunk SPLK-3002 page

60 min

Exam Window

Pearson VUE

$130

Exam Fee

Splunk / Pearson VUE

Pass/Fail

Result Reporting

Splunk

ITSI Admin

Track

Splunk certification track

2026-03-01

Policy Update

Splunk certification changes

The Splunk IT Service Intelligence Certified Admin (SPLK-3002) exam is a 53-question, 60-minute Pearson VUE exam. Splunk reports the result as pass or fail and does not publicly publish the exact cut score. The blueprint covers ITSI architecture, services and entities, KPIs and thresholds, glass tables and deep dives, notable event aggregation policies and episodes, predictive analytics, anomaly detection, and ITSI modules. Splunk also published program-wide certification policy changes effective March 1, 2026, so verify current recertification rules before scheduling.

Sample Splunk ITSI Certified Admin (SPLK-3002) Practice Questions

Try these sample questions to test your Splunk ITSI Certified Admin (SPLK-3002) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Splunk component runs the IT Service Intelligence (ITSI) app and serves the Service Analyzer, Glass Tables, and Deep Dives interface to users?

A.Indexer

B.Search head

C.Universal forwarder

D.License manager

Explanation: ITSI is installed on a search head (or search head cluster). The search head runs the ITSI app, hosts Service Analyzer, Glass Tables, Deep Dives, and the Notable Events Review, and dispatches saved searches to the indexer tier. Indexers store raw events and bucket data. Universal forwarders only collect and forward data and cannot run the ITSI app. The license manager tracks license usage and is unrelated to ITSI UI.

2What is the recommended way to bring data into a Splunk indexer cluster that ITSI searches against?

A.Install ITSI on every universal forwarder

B.Use universal or heavy forwarders to send data to indexers

C.Have ITSI write directly to the file system on each indexer

D.Use the Service Analyzer to ingest data

Explanation: ITSI does not change Splunk's standard data ingestion pattern. Universal forwarders (or heavy forwarders when parsing is needed) collect data from sources and send it to indexers, where ITSI saved searches and KPI base searches run. ITSI is not installed on forwarders. Service Analyzer is a UI, not an ingestion path. Direct file-system writes bypass parsing and indexing.

3Which Splunk-supplied package extends ITSI with technology-specific KPIs, entity definitions, saved searches, and dashboards for products such as Linux, VMware, or AWS?

A.ITSI Module (content pack)

B.Universal forwarder add-on

C.Splunk Enterprise Security correlation app

D.Splunk Stream

Explanation: ITSI Modules (also called content packs) extend ITSI with prebuilt service templates, KPI base searches, entity discovery searches, and dashboards focused on a specific technology or use case. Universal forwarders only ship data. Enterprise Security is a separate Splunk premium app. Splunk Stream captures wire data and is independent of ITSI module content.

4Which ITSI object represents a logical thing being monitored (such as a host, application, or business workflow) and aggregates KPIs into a single health score?

A.Glass Table

B.Service

C.Deep Dive

D.Notable Event

Explanation: A Service is the central ITSI object. It groups KPIs that measure the health of a logical thing — a server, application, or business process — and rolls them into the service health score. Glass Tables are visual dashboards over services. Deep Dives are interactive timelines for investigation. Notable Events are episodes generated from KPI threshold breaches or correlation searches.

5An ITSI entity represents what?

A.A user role with capabilities to manage ITSI

B.A discrete thing being monitored, such as a host or device, with identifying alias and informational fields

C.A saved search that produces a KPI

D.An aggregation policy applied to notable events

Explanation: An entity is a discrete monitored thing — a server, container, network device, application instance — with alias fields used to match incoming data and informational fields used for filtering. Roles and capabilities are part of Splunk security, not ITSI entities. Saved searches that produce KPI values are KPI base searches. Aggregation policies group notable events into episodes.

6Which two methods does ITSI provide for adding entities into the system?

A.Auto-discovery search and CSV/manual import

B.Glass Table import and Deep Dive export

C.Service Template push and KPI rebuild

D.Episode replay and ServiceNow sync

Explanation: ITSI supports adding entities through entity discovery saved searches that read indexed data, and through CSV file or manual UI import. Glass Tables are visualizations, Deep Dives are investigative timelines, service templates and KPI rebuilds operate on services and KPIs, and the ServiceNow integration applies to notable events and episodes — none of those create entities directly.

7Which ITSI object aggregates one or more saved searches into KPI values that score the health of a service?

A.Notable event

B.KPI

C.Glass Table

D.Deep Dive lane

Explanation: A KPI (Key Performance Indicator) is a measurement defined either by an ad hoc search or a KPI base search. KPIs produce numeric values that are scored against thresholds and contribute to the service health score. Notable events are episodes, Glass Tables are visualizations, and Deep Dive lanes display KPIs but do not define them.

8What is a KPI base search in ITSI?

A.A saved search that produces metrics for multiple KPIs and shares one search run

B.A search that scrubs all entity data daily

C.A built-in search that creates Glass Tables automatically

D.A scheduled report that exports to CSV

Explanation: A KPI base search is a single shared saved search that produces multiple metric columns. Multiple KPIs can reuse it, which reduces search load by reusing one search run for several KPIs. It does not scrub entities, generate Glass Tables, or export reports.

9Which threshold type uses a fixed numeric value that does not change with time of day?

A.Static threshold

B.Time variate threshold

C.Adaptive threshold

D.Anomaly threshold

Explanation: A static threshold uses one set of fixed cut points (for example, critical above 90, warning above 70). Time variate thresholds change cut points by time policy. Adaptive thresholds recalculate cut points using historical data based on standard deviation, quantile, or range. Anomaly detection is a separate feature that flags unusual values.

10What does the ITSI service health score represent?

A.The CPU utilization of the search head

B.An aggregate score from 0 to 100 based on KPI severities and weights

C.The license consumption for ITSI indexes

D.The number of entities mapped to the service

Explanation: The service health score is a 0 to 100 number derived from the severity scores of KPIs that are configured to contribute to it, weighted by importance. It is the headline indicator on the Service Analyzer. CPU on the search head, license consumption, and entity counts are unrelated metrics.

About the Splunk ITSI Certified Admin (SPLK-3002) Exam

The Splunk IT Service Intelligence (ITSI) Certified Admin exam (SPLK-3002) validates hands-on administration of ITSI: services, entities, KPIs and base searches, static, time variate, and adaptive thresholds, glass tables, deep dives, notable event aggregation policies, episode lifecycle, predictive analytics, and ITSI module content. It is the certification for engineers who deploy and run ITSI on a Splunk search head or search head cluster.

Assessment

53 multiple-choice questions

Time Limit

60 minutes total

Passing Score

Pass/Fail (exact cut score not published by Splunk)

Exam Fee

$130 USD (Splunk / Pearson VUE)

Splunk ITSI Certified Admin (SPLK-3002) Exam Content Outline

15%

ITSI Architecture and Deployment

ITSI components, search head and indexer roles, KV Store, ITSI modules, technology add-ons, and deployment topology.

20%

Services, Entities, and the Service Tree

Define services, model service dependencies, manage entities and entity discovery, alias and informational fields, service templates.

20%

KPIs, Base Searches, and Thresholds

KPI definitions, KPI base searches, static / time variate / adaptive thresholds, severity and importance, service health score.

15%

Glass Tables, Deep Dives, and Service Analyzer

Build glass tables, run deep dives, configure service drilldowns, and use the service analyzer for triage.

20%

Notable Events, Aggregation Policies, and Episodes

Multi-KPI alerts, correlation searches, aggregation policy filter / split-by / break-by / smart grouping, episode lifecycle, owners, and actions.

10%

Predictive Analytics, Anomaly Detection, and ITSI Modules

Predicted service health score, entity-level anomaly detection, ITSI module content packs, and integrations like ServiceNow.

How to Pass the Splunk ITSI Certified Admin (SPLK-3002) Exam

What You Need to Know

Passing score: Pass/Fail (exact cut score not published by Splunk)
Assessment: 53 multiple-choice questions
Time limit: 60 minutes total
Exam fee: $130 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Splunk ITSI Certified Admin (SPLK-3002) Study Tips from Top Performers

1Memorize the three KPI threshold types: static, time variate (time policy), and adaptive (standard deviation, quantile, range).

2Build a small ITSI lab with a service template, KPI base search, and entity discovery search so the model is operational, not theoretical.

3Practice the aggregation policy mental model: filter, split-by, break-by, smart grouping, time window, and action stages.

4Walk the episode lifecycle (Unassigned, Acknowledged, In Progress, Closed/Resolved) and know when each ITSI action fires.

5Know the difference between adaptive thresholds and anomaly detection — both use history but produce different outputs.

6Practice troubleshooting entity alias mismatches, because they are the most common cause of KPI values not appearing on a service.

Frequently Asked Questions

How many questions are on the Splunk ITSI Certified Admin (SPLK-3002) exam?

Splunk's official exam page lists 53 questions for SPLK-3002. The exam window is 60 minutes total and is delivered through Pearson VUE.

What is the passing score for the SPLK-3002 exam?

Splunk reports the result as pass or fail and does not publicly publish the exact cut score. Plan for consistent mastery across the blueprint instead of targeting an undisclosed numeric threshold.

What does the SPLK-3002 exam cover?

SPLK-3002 covers ITSI architecture, services and entities, KPIs and KPI base searches, static / time variate / adaptive thresholds, glass tables and deep dives, notable events and aggregation policies, episode lifecycle, predictive analytics, anomaly detection, and ITSI module content.

Is there a prerequisite for the Splunk ITSI Certified Admin exam?

Splunk recommends Splunk Enterprise Certified Admin and the official ITSI administration coursework as prerequisites. Hands-on ITSI administration experience is strongly recommended even when not strictly required.

How long should I study for SPLK-3002?

Most candidates need 30 to 50 hours of focused review after they already work with ITSI day to day. The exam is heavy on services, KPI threshold types, aggregation policies, and episode lifecycle, so build a lab and practice those areas hands-on.

What changed in Splunk certification policy in 2026?

Splunk published program-wide certification changes that took effect on March 1, 2026. The update changed recertification handling and removed coursework-based recertification options, so candidates should review the latest Splunk certification policy before planning renewals.