Below is a comprehensive and detailed study plan for the SPLK-3002: Splunk IT Service Intelligence (ITSI) Certified Admin Exam, designed using the principles of the Pomodoro Technique (for focused study sessions) and Ebbinghaus’ Forgetting Curve (to improve long-term retention through spaced review).

SPLK-3002 Learning Plan

Total Duration: 4 Weeks (28 Days)

Goal: Fully understand and retain all 16 ITSI knowledge areas and prepare confidently for the exam.

Learning Methods Used:

1. Pomodoro Technique – 25 minutes study + 5-minute break = 1 Pomodoro
   2–4 Pomodoros per day recommended

2. Ebbinghaus Forgetting Curve – Review material after 1 day, 3 days, 7 days, and weekly, Includes review days after each topic block

3. Active Recall & Practice – Through summary, practice questions, and quizzes

4. Note-taking – Keep one centralized ITSI Study Notebook

SPLK-3002 Week 1 Study Plan

Theme: Core Concepts and Visualization Tools
Primary Goal: Develop a strong foundational understanding of ITSI’s architecture and key operational components. Gain hands-on familiarity with service health visualizations and basic event handling.

Day 1 – Topic: Introducing ITSI

Learning Objective: Understand what ITSI is, how it differs from traditional monitoring tools, and identify its major components.

Tasks:

• Read the full technical description of ITSI's core purpose and benefits.

• Create a concept map that includes Services, KPIs, Notable Events, Glass Tables, and Deep Dives, and shows their interactions.

• Write a short essay (approximately 150 words) explaining why ITSI takes a service-centric monitoring approach.

• Create 10 flashcards for key terms including: service, KPI, health score, notable event, and deep dive.

Estimated Study Time: 3 Pomodoro sessions (75 minutes study + 2 short breaks)

Day 2 – Topic: Glass Tables

Learning Objective: Learn to create and customize Glass Tables to visualize KPI and service performance in real time.

Tasks:

• Read and summarize Glass Table features and design recommendations.

• Using the Glass Table editor, build a simple layout with at least three components: text label, service icon, and KPI widget.

• Configure threshold-based color changes for each KPI element (green, yellow, red).

• Add one drilldown interaction that links a KPI to a Deep Dive view or another dashboard.

• Write a checklist of best practices for designing Glass Tables, tailored to different user roles.

Estimated Study Time: 3 Pomodoro sessions

Day 3 – Topic: Managing Notable Events

Learning Objective: Understand the life cycle of Notable Events and practice using Aggregation Policies.

Tasks:

• Study the four-phase lifecycle of a Notable Event: Triggering, Aggregation, Prioritization, and Management.

• Simulate a KPI threshold breach that generates a Notable Event.

• Configure one Aggregation Policy using simple filters (e.g., severity = Critical), grouping by service name, and a time window of 10 minutes.

• Review the Event Management dashboard and note each available action (assign, acknowledge, suppress, escalate).

• Write a summary explaining how Aggregation Policies help reduce alert fatigue.

Estimated Study Time: 3 Pomodoro sessions

Day 4 – Topic: Deep Dives

Learning Objective: Learn how to use Deep Dives to investigate service issues through time-based KPI visualization.

Tasks:

• Build a Deep Dive layout that includes at least three KPIs (for example, CPU usage, latency, and error rate).

• Include an Event Timeline panel and correlate any simulated Notable Events with KPI changes.

• Zoom in on a 15-minute time window during which an anomaly occurred.

• Add drilldowns that let users access raw event data or related dashboards.

• Create a use-case scenario involving a multi-tier application and explain which KPIs would be critical to monitor in a Deep Dive.

Estimated Study Time: 3 Pomodoro sessions

Day 5 – Weekly Review and Recall

Learning Objective: Reinforce understanding of key topics and correct early misconceptions using active recall and self-assessment.

Tasks:

• Review and redraw all previously made diagrams and concept maps.

• Use flashcards to review at least 30 terms and definitions from the first four days.

• Take a self-created quiz containing at least 10 multiple-choice questions covering:

  • ITSI components

  • Glass Table functions

  • Event lifecycle

  • Deep Dive use cases

• Reflect on which topics felt most challenging and flag them for review.

Estimated Study Time: 4 Pomodoro sessions

Day 6 – Topic: Installing and Configuring ITSI

Learning Objective: Understand system requirements and the full setup process for deploying ITSI in a Splunk environment.

Tasks:

• Read through Splunk documentation for ITSI installation.

• Create a checklist including:

  • Splunk version compatibility

  • Required indexes such as itsi_summary and itsi_tracked_alerts

  • Admin privileges and system specs

  • Licensing verification

• Simulate (or describe in detail) the installation process via both UI and CLI.

• Write down post-installation tasks such as verifying data collection, running health checks, and setting up initial users or teams.

Estimated Study Time: 3 Pomodoro sessions

Day 7 – Spaced Review (Retention Enhancement)

Learning Objective: Use spaced repetition to reinforce memory and support long-term retention of Week 1 content.

Tasks:

• Test recall of all key definitions and concepts from Days 1 to 6 without looking at notes.

• Re-draw a simplified ITSI architecture model and explain each component aloud.

• Use flashcards to review terminology and error-prone topics (especially event handling and Deep Dive structure).

• Take a 5-question timed quiz to simulate exam pressure.

• Summarize any unclear areas in a review list for Week 2 follow-up.

Estimated Study Time: 3 Pomodoro sessions

SPLK-3002 Week 2 Study Plan

Theme: Service Modeling and Data Logic
Primary Goal: Build practical skills in service creation, KPI configuration, data audits, and performance logic that underpin ITSI monitoring.

Day 8 – Topic: Designing Services

Learning Objective: Learn how to define, structure, and logically segment services in ITSI.

Tasks:

• Review the purpose of services in ITSI and what they represent (technical and business functions).

• Choose one real-world use case (e.g., online banking or e-commerce platform).

• Break it down into at least three logical services (e.g., Authentication, Payment Gateway, Inventory System).

• Define two meaningful KPIs for each service.

• Create a visual map showing service-to-KPI relationships.

• Write a paragraph summarizing the criteria for designing scalable, meaningful services.

Estimated Study Time: 3 Pomodoro sessions

Day 9 – Topic: Data Audit and Base Searches

Learning Objective: Learn how to build effective base searches and validate KPI data quality.

Tasks:

• Write two base searches using SPL to extract metrics (for example, failed logins or transaction errors).

• Use the ITSI Search Inspector to analyze performance (execution time, skipped buckets).

• Review the itsi_data_integrity dashboard to identify stale or missing KPI data.

• Create a table that compares:

  • Scheduled vs. real-time searches

  • Search filtering methods

  • Common causes of no-result KPIs

• Summarize findings in a one-page troubleshooting checklist.

Estimated Study Time: 3 Pomodoro sessions

Day 10 – Topic: Implementing Services

Learning Objective: Practice the complete service implementation process in ITSI.

Tasks:

• Create a new service using the Service Editor.

• Add at least three KPIs to this service.

• Configure thresholds (choose at least two threshold types).

• Define a parent-child relationship for one of the services.

• Assign the service to a team and configure access control settings.

• Test service behavior and observe health score changes over time.

Estimated Study Time: 4 Pomodoro sessions

Day 11 – Weekly Review and Recall

Learning Objective: Reinforce key concepts and validate service-building competency through hands-on recall.

Tasks:

• Rebuild the service diagram created on Day 8 without referring to notes.

• Recreate one base search and analyze its behavior using the Search Inspector.

• Use flashcards to review terminology related to:

  • Base searches

  • Thresholds

  • Service design

• Take a 10-question quiz focused on services, KPI implementation, and audit tools.

• Reflect on challenges faced in Day 10 implementation and write down improvement ideas.

Estimated Study Time: 3 Pomodoro sessions

Day 12 – Topic: Thresholds and Time Policies

Learning Objective: Understand and apply different types of KPI thresholds and time-based monitoring policies.

Tasks:

• Study and compare four threshold types:

  • Static

  • Percentage-based

  • Trend-based

  • Machine learning/anomaly-based

• Create a test KPI and apply each threshold type.

• Configure a time policy that:

  • Applies stricter thresholds during business hours

  • Loosens thresholds during off-hours

• Write a use case comparing threshold behavior during peak and non-peak times.

Estimated Study Time: 3 Pomodoro sessions

Day 13 – Topic: Entities and Modules

Learning Objective: Understand how to work with entities and use ITSI modules to deploy services quickly.

Tasks:

• Create three custom entities with metadata (e.g., environment, role, region).

• Link one entity to an existing KPI (if environment available).

• Explore the Modules tab and install or simulate a prebuilt module (such as Linux or VMware).

• List the components installed by the module: services, KPIs, Glass Tables, and Deep Dives.

• Summarize how entities improve visibility and per-host analysis.

Estimated Study Time: 3 Pomodoro sessions

Day 14 – Spaced Review (Days 8–13)

Learning Objective: Reinforce retention of core Week 2 topics using active recall and scenario practice.

Tasks:

• Rebuild a service from scratch based on what was learned in Days 8–10.

• Practice writing two base searches and identifying their search schedule, split-by field, and output.

• Use a flashcard deck with at least 25 cards covering:

  • Service design

  • KPI health scoring

  • Threshold tuning

  • Time policy scheduling

• Complete a 15-question quiz that mixes definitions, configuration logic, and case-based reasoning.

Estimated Study Time: 3 Pomodoro sessions

SPLK-3002 Week 3 Study Plan

Theme: Advanced Architecture and Alert Intelligence
Primary Goal: Understand and apply complex ITSI components such as templates, dependencies, anomaly detection, multi-KPI correlation, aggregation policies, and access control.

Day 15 – Topic: Templates and Dependencies

Learning Objective: Learn how to use templates for scalable service creation and model dependencies between services.

Tasks:

• Create a service template with at least three KPIs, each with thresholds and time policies.

• Apply the template to two different services and verify that changes are inherited correctly.

• Draw a service dependency map with at least one parent and two child services.

• Configure health score weighting to simulate how a child service affects the parent.

• Write a comparison between template-based service creation and manual service setup.

Estimated Study Time: 3 Pomodoro sessions

Day 16 – Topic: Anomaly Detection

Learning Objective: Understand how ITSI uses machine learning to detect abnormal KPI behavior and how to configure it effectively.

Tasks:

• Enable anomaly detection on a KPI and observe the learning period.

• Set a learning window (e.g., 14 days) and adjust sensitivity from medium to high.

• Compare anomaly detection output against static threshold alerts for the same KPI.

• Create a chart or table that outlines advantages and limitations of machine-learning thresholds.

• Document how anomaly detection supports dynamic or unpredictable environments.

Estimated Study Time: 3 Pomodoro sessions

Day 17 – Topic: Correlation and Multi-KPI Searches

Learning Objective: Learn how to use correlation searches to link multiple KPIs and detect complex incidents.

Tasks:

• Write a correlation search using SPL that combines two conditions, such as:
  CPU > 90 AND Memory > 85

• Schedule the correlation search and configure it to trigger a Notable Event.

• Assign a severity level based on combined metric behavior.

• Test the search against historical data or a sample log dataset.

• Write a reflection on when to use correlation logic versus traditional threshold alerting.

Estimated Study Time: 3 Pomodoro sessions

Day 18 – Review Day (Days 15–17)

Learning Objective: Reinforce comprehension and identify weak areas in advanced ITSI configuration.

Tasks:

• Redraw a full service architecture that includes:

  • Template-based services

  • Anomaly detection flags

  • Correlation search output

• Use flashcards to review at least 20 concepts from Days 15–17.

• Rebuild a correlation search without using previous notes.

• Take a 10-question scenario-based quiz focused on event logic and automation.

Estimated Study Time: 3 Pomodoro sessions

Day 19 – Topic: Aggregation Policies

Learning Objective: Learn how to group and prioritize Notable Events using Aggregation Policies.

Tasks:

• Configure an Aggregation Policy to group events from a specific service within a 15-minute window.

• Use filters to include only High and Critical severity events.

• Enable auto-close behavior after 30 minutes of no new matching events.

• Test the grouping behavior with simulated or historical KPI events.

• Create a guide comparing single-event handling versus aggregation-based alerting.

Estimated Study Time: 3 Pomodoro sessions

Day 20 – Topic: Access Control

Learning Objective: Understand how to implement role-based access to ITSI components.

Tasks:

• Create three custom roles: ITSI Admin, Service Owner, Viewer.

• Assign each role appropriate capabilities (e.g., create services, edit dashboards, read-only access).

• Map roles to specific ITSI teams (e.g., Web Ops, DB Admins).

• Restrict access to a specific service using team ownership and role-based filters.

• Write a one-page summary describing how access control supports operational clarity and security.

Estimated Study Time: 3 Pomodoro sessions

Day 21 – Spaced Review (Days 15–20)

Learning Objective: Strengthen understanding of advanced ITSI components using active recall and practical application.

Tasks:

• Rebuild an Aggregation Policy configuration without referencing notes.

• Practice reconfiguring a template and applying it to a new service.

• Flashcard review of all key concepts from Days 15–20, especially anomaly detection, correlation, and access control.

• Take a 15-question comprehensive quiz on:

  • Dependencies

  • Alert aggregation

  • Access configuration

• Note down any remaining weak areas to revisit before the final week.

Estimated Study Time: 3 Pomodoro sessions

SPLK-3002 Week 4 Study Plan

Theme: Troubleshooting, Integration, and Final Preparation
Primary Goal: Consolidate all knowledge, master diagnostics, and build confidence through mock exams and scenario-based recall.

Day 22 – Topic: Troubleshooting ITSI

Learning Objective: Learn how to diagnose and resolve common ITSI issues including data gaps, failed searches, and configuration errors.

Tasks:

• Review the five major troubleshooting areas:

  1. Search performance

  2. Missing data

  3. Threshold misconfigurations

  4. Notable Event failures

  5. Dashboard/KPI link errors

• Use Search Inspector to analyze a KPI with slow performance.

• Access _internal logs to identify a failed or skipped search.

• Review itsi_data_integrity dashboard to verify missing results.

• Create a troubleshooting checklist that covers tools, steps, and indicators for each type of issue.

Estimated Study Time: 3 Pomodoro sessions

Day 23 – Spaced Review (Comprehensive Recall)

Learning Objective: Use spaced repetition to reinforce learning across all major topic areas with a focus on weak points.

Tasks:

• Perform rapid recall drills: For each of the 16 knowledge areas, write down three key facts or configuration steps from memory.

• Use flashcards (minimum 40) covering terminology, thresholds, dependencies, modules, and event handling.

• Practice verbal recall: explain service-to-event flow to yourself or a peer without notes.

• Mark any topics where you hesitate or feel unsure and flag them for deeper review on Day 25.

Estimated Study Time: 3 Pomodoro sessions

Day 24 – Mock Exam 1

Learning Objective: Simulate full test conditions and assess readiness through a comprehensive exam.

Tasks:

• Take a complete practice exam (30–40 questions) covering all SPLK-3002 topics.

• Strictly time yourself (recommended: 60–75 minutes).

• After completion, categorize each incorrect or uncertain answer by topic area (e.g., thresholds, correlation, access control).

• Record all errors in a “Mistake Tracker” document for targeted follow-up.

Estimated Study Time: 4 Pomodoro sessions

Day 25 – Error Correction and Targeted Review

Learning Objective: Reinforce weak areas identified from Mock Exam 1 and practice deeper reasoning on complex topics.

Tasks:

• Review every missed question from Day 24. Write down:

  • The correct answer

  • Why the original answer was wrong

  • A fixed rule or summary to prevent the same mistake

• Revisit 2–3 knowledge areas with the most missed answers (e.g., time policies, search configuration).

• Create or revise mini-guides or visual maps for those topics.

• Practice writing 5 new multiple-choice questions yourself on the weakest topic.

Estimated Study Time: 3 Pomodoro sessions

Day 26 – Mock Exam 2

Learning Objective: Confirm exam readiness through a second full simulation and reinforce testing stamina.

Tasks:

• Take a different full-length practice exam (with new or reshuffled questions).

• Simulate exam conditions: quiet space, no internet access or notes, timed.

• Analyze performance and compare scores against Day 24.

• Note if the same errors appear or new gaps arise.

Estimated Study Time: 4 Pomodoro sessions

Day 27 – Visual Summary and Final Recall

Learning Objective: Consolidate all knowledge into visual formats and activate long-term memory pathways.

Tasks:

• Create a single-page summary sheet or mind map of the entire ITSI architecture including:

  • Services, KPIs, Thresholds, Events, Templates, Aggregation

• Rebuild two sample scenarios (e.g., a correlation search and a service with dependencies) from scratch without notes.

• Use a blank paper to list as many configuration fields and setting options as you can remember.

• Recite aloud the lifecycle of a Notable Event and how health scores are calculated.

Estimated Study Time: 4 Pomodoro sessions

Day 28 – Final Light Review and Confidence Boost

Learning Objective: Enter the exam with confidence, mental clarity, and refreshed memory.

Tasks:

• Do a light flashcard review focusing on any terms or questions that caused hesitation.

• Take a short (5–10 question) quiz to warm up.

• Practice positive visualization: imagine navigating the test calmly and successfully.

• Avoid any heavy studying. Focus instead on summarizing what you’ve achieved.

• Ensure your test environment is ready and that you’ve reviewed exam logistics.

Estimated Study Time: 2 Pomodoro sessions