Solved: Re: Can we analyze diag file with S.o.S by ourselv...

sunrise · ‎03-28-2014

We can set S.o.S on our UAT environment, but cannot set on production environment.
We want to analyze diag file getting from production environment to use S.o.S in UAT.
Can I do that ?
Can S.o.S allow us to analyze other environment diag file ?

hexx · ‎03-28-2014

The S.o.S app is not built to analyze data contained in diags, its searches are specifically targeted at live data in the Splunk internal indexes (_internal, _audit) and in its own index (sos).

View solution in original post

hexx · ‎04-01-2014

If you have attended a partner shadowing program with Splunk Support, you can reach out to the Support engineers that you worked with and request a copy of the UnDiag app, which does precisely what you want.

sunrise · ‎03-30-2014

Actually, I'm working for the business partner of Splunk. I got the diag file from the end user to troubleshoot the issue. So I hope S.o.S enable to analyze at non-live data. .

hexx · ‎03-28-2014

Out of curiosity, what is the specific reason that prevents you from using the S.o.S app in your production environment?

hexx · ‎03-28-2014

The S.o.S app is not built to analyze data contained in diags, its searches are specifically targeted at live data in the Splunk internal indexes (_internal, _audit) and in its own index (sos).

Can we analyze diag file with S.o.S by ourselves ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases