SPLK-3002 Investigating Issues with Deep Dives
Investigating Issues with Deep Dives
Detailed list of SPLK-3002 knowledge points
- + Introducing ITSI
- + Glass Tables
- + Managing Notable Events
- + Investigating Issues with Deep Dives
- + Installing and Configuring ITSI
- + Designing Services
- + Data Audit and Base Searches
- + Implementing Services
- + Thresholds and Time Policies
- + Entities and Modules
- + Templates and Dependencies
- + Anomaly Detection
- + Correlation and Multi KPI Searches
- + Aggregation Policies
- + Access Control
- + Troubleshooting ITSI
Investigating Issues with Deep Dives Detailed Explanation
1. What Is a Deep Dive?
Simple Definition
A Deep Dive in ITSI is like a virtual investigation room where you can:
Explore how different KPIs behaved over time
See when issues started
Discover why a service is having problems
It’s a time-based dashboard that shows you trends and relationships between metrics, all in one place.
Think of it like a detective board, where you piece together clues (KPI changes, alerts, logs) to understand the full story behind an incident.
2. Purpose of Deep Dives
Why do we need Deep Dives?
Because problems in IT are often complex:
One service breaks down because another failed.
Performance drops without obvious cause.
Alerts are triggered but the root problem is hidden.
A Deep Dive helps you:
See multiple KPIs together
Match KPI behavior with Notable Events
Understand what happened, when it happened, and why
It’s a powerful tool for solving issues and preventing them from happening again.
3. Key Capabilities of Deep Dives
a. Multi-KPI Time-Series Visualization
You can view several KPIs at once, all displayed as line charts across a common timeline.
For example:
CPU usage
Error rate
Database response time
Web server latency
This lets you compare trends side-by-side and see how one metric may have influenced another.
Beginner Tip:
If two KPIs change at the same time, they might be connected!
b. Event Timeline
This feature shows when Notable Events occurred, directly on the same timeline as the KPIs.
You can clearly see:
Did the event happen before or after the spike?
Was the alert correct or did it miss something?
What other services were affected?
Why it matters:
Events and KPI trends together give a complete picture, not just one side of the story.
c. Interactive Controls
Deep Dives let you:
Zoom in on a short time window (e.g., 5 minutes)
Zoom out to see the bigger picture (e.g., last 6 hours)
Pan across time to track how things evolved
Rearrange KPI panels to group related metrics
This helps you focus only on the important timeframes, especially during or around the incident.
d. Drill-Down Capability
You can click on a KPI line or chart point to:
View the underlying search data
See related logs or raw events
Open a dashboard or Notable Event
This means that Deep Dives are not just for viewing—they’re also for investigating in real depth.
4. Use Cases for Deep Dives
Here are some real-world ways teams use Deep Dives:
Troubleshooting Service Degradation
Example: Your website is suddenly slow.
You open a Deep Dive and compare:
Web server response time
Database load
Error rates
You discover that the database query time started increasing 10 minutes earlier—problem found!
Root Cause Analysis of Outages
After a system goes down, you can:
Look back at all KPIs
See which metric changed first
Understand the chain reaction of failures
This helps prevent the same issue in the future.
Post-Incident Review and Documentation
After fixing an issue, you can use the Deep Dive to:
Show exactly what happened (with graphs)
Present to your team or management
Save the Deep Dive as a report or example for later
Detecting Performance Trends or Regressions
You can use Deep Dives proactively, not just after problems.
For example:
Monitor a new release to see if it causes slowdowns
Check if performance slowly worsens over days or weeks
Spot patterns that manual reviews might miss
Summary: What to Remember About Deep Dives
A Deep Dive is a visual, time-based workspace for analyzing KPI trends and events.
It helps you understand system behavior over time and find the root causes of problems.
You can compare many KPIs, view Notable Events, and zoom in on details.
It’s great for troubleshooting, reviewing, and even preventing incidents.
Investigating Issues with Deep Dives (Additional Content)
1. Deep Dives Can Be Saved as Templates or RCA Artifacts
Why it matters:
Students should understand that Deep Dives are not just real-time investigation tools—they are also valuable for post-incident analysis, reporting, and knowledge sharing.
Suggested Explanation:
Deep Dives in ITSI can be saved and shared in the following ways:
As Deep Dive Templates: reusable layouts with predefined KPI panels and time windows
As Root Cause Analysis (RCA) records: snapshots that preserve the full investigative context of an incident
Example use case:
After resolving a major outage, a team saves the Deep Dive to document how the issue unfolded. This can be used in retrospectives, executive briefings, or as training material for new engineers.
This transforms Deep Dives into not just tools for live analysis, but artifacts of operational learning and accountability.
2. Who Uses Deep Dives (Role-Based Use Cases)
Why it matters:
Understanding which roles use Deep Dives helps students connect the tool to real-world job responsibilities.
Suggested Explanation:
Deep Dives are leveraged by various roles within an organization, including:
SREs (Site Reliability Engineers) – for analyzing service degradation and pinpointing anomalies during incidents.
NOC (Network Operations Center) Analysts – for correlating real-time events across infrastructure layers.
Application Owners or DevOps Engineers – to track how app-layer metrics (like error rates or latency) relate to infrastructure KPIs.
By tailoring views to specific KPIs, each role can focus on what matters most to their operational responsibility.
3. Deep Dive vs. Episode Review – Key Differences
Why it matters:
Students often confuse Deep Dives and Episode Review. Clearly outlining their purpose and scope builds conceptual clarity and avoids misuse.
Suggested Explanation:
| Feature | Deep Dive | Episode Review |
|---|---|---|
| Primary Function | KPI trend analysis over time | Notable Event triage and incident response |
| Data Source | Time-series KPI panels | Grouped Notable Events |
| Use Case | Investigating how and why things went wrong | Managing who and what needs to respond |
| Audience | Engineers, Analysts (deep technical dive) | Incident Managers, On-call Leads |
You can think of it this way:
Episode Review helps you triage the issue
Deep Dive helps you understand and solve the issue
Summary
Adding these dimensions helps students:
See how Deep Dives support incident workflows before, during, and after outages
Connect the tool to specific job roles and responsibilities
Understand the boundary and synergy between Episode Review (event-based view) and Deep Dives (metric-based view)
Frequently Asked Questions
What component in ITSI Deep Dive visualizes a KPI as a time-series lane used for troubleshooting service performance?
A swim lane.
Deep Dive dashboards use swim lanes to represent KPIs visually across time. Each swim lane corresponds to a specific KPI and displays color-coded severity states derived from KPI threshold evaluation. When KPI values cross warning or critical thresholds, the swim lane reflects the severity through color changes. This layout allows operators to compare multiple KPIs simultaneously and detect correlations between service metrics. For example, CPU utilization, memory usage, and transaction latency can appear as parallel swim lanes, helping administrators quickly identify patterns that lead to service degradation. Swim lanes therefore serve as the primary visualization mechanism within Deep Dive dashboards for analyzing KPI behavior during incidents.
Demand Score: 70
Exam Relevance Score: 86
A Deep Dive swim lane appears empty even though the associated KPI search returns data. What is the most common configuration issue?
The KPI is not properly associated with the service selected in the Deep Dive.
Deep Dive dashboards only display KPIs that belong to the selected service context. If a KPI search returns data but the KPI is not linked to the service being analyzed, the swim lane may appear empty. This occurs when the KPI is configured under a different service or not included in the service’s KPI list. Administrators should confirm that the KPI is associated with the correct service and that its search executes successfully. Additionally, ensuring the time range matches the KPI data window is important. Service-KPI relationships determine which metrics appear in Deep Dive visualizations, so misconfigured associations often cause missing swim lane data.
Demand Score: 88
Exam Relevance Score: 89
What is the primary purpose of Deep Dive dashboards in ITSI?
To investigate service health by correlating multiple KPIs over time.
Deep Dive dashboards provide a timeline-based view of multiple KPIs associated with a service. By displaying KPI behavior simultaneously, administrators can correlate metric anomalies and identify root causes of incidents. For example, if application response time increases while database latency and CPU usage spike at the same time, Deep Dive allows operators to visually correlate those metrics within the same time window. This capability enables faster troubleshooting compared with reviewing each KPI independently. Deep Dive dashboards are therefore designed for operational analysis rather than high-level monitoring, making them particularly useful during incident investigation workflows.
Demand Score: 76
Exam Relevance Score: 84
Which Deep Dive configuration option allows administrators to organize KPIs into logical groups for easier troubleshooting?
Swim lane groups.
Swim lane groups allow administrators to organize multiple KPIs into categorized sections within a Deep Dive dashboard. Instead of displaying all KPIs in a single long list, grouping enables related metrics to be visually clustered together. For example, infrastructure KPIs such as CPU, memory, and disk usage can be grouped separately from application metrics such as request latency and error rates. This organization improves readability and helps operators focus on specific components of a service architecture. Grouping swim lanes also simplifies troubleshooting because related performance indicators appear together, making it easier to detect patterns and identify root causes during incident analysis.
Demand Score: 72
Exam Relevance Score: 82
When creating a custom Deep Dive, what must be selected to determine which KPIs are available for swim lanes?
The service associated with the Deep Dive.
Deep Dive dashboards operate within the context of a specific service. When creating or editing a custom Deep Dive, administrators must select the service that defines the KPI scope. Only KPIs associated with that service become available for swim lane selection. This design ensures that troubleshooting views focus on metrics relevant to the service architecture rather than unrelated data. Selecting the correct service is therefore essential when building Deep Dive dashboards, because it determines which KPIs can be visualized and analyzed within the investigation workflow.
Demand Score: 78
Exam Relevance Score: 87
