Exam 6: Splunk IT Service Intelligence Certified Admin

A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. All of the applications are mission-critical. The customer wants to carefully control cost, but wants good ES performance. What is the best practice for installing ES?

Which of the following threat intelligence types can ES download? (Choose all that apply.)

The Remote Access panel within the User Activity dashboard is not populating with the most recent hour of data. What data model should be checked for potential errors such as skipped searches?

Which of the following is a recommended pre-installation step?

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

Who can delete an investigation?

Which component normalizes events?

What is the first step when preparing to install ES?

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

How is it possible to navigate to the list of currently-enabled ES correlation searches?

An administrator is asked to configure an "Nslookup" adaptive response action, so that it appears as a selectable option in the notable event's action menu when an analyst is working in the Incident Review dashboard. What steps would the administrator take to configure this option?

Where is the Add-On Builder available from?