Splunk Enterprise Security

How can I monitor VMware Horizon View with Splunk?

canalesjac
Path Finder

I’m running VMWare Horizon View 7 in my organization. Now with COVID-19 Shelter in place we all need to WFH. How do I monitor user activity and know what the user experience is when connecting to VDI? I know VMWare Horizon View has vRealize Operations Manager for View but it’s limited.

Labels (1)
1 Solution

canalesjac
Path Finder

I found the answer to my question. VMWare Horizon can send data to Splunk as Syslog target. You can have your connection servers configured to send logs to Splunk. You can configure a Syslog input and create a VMWare index on port 514. You can then create custom dashboards. I recommend using Splunk universal forwarder dedicated for your Syslog input. You can find more information and an example dashboard in this post. Just create two new dashboards and import the attached xml dashboards.

Horizon View Login Dashboard

Horizon View Login Details Dashboard

<form theme="dark">
  <label>CONTOSO Horizon View Login Diagnostics</label>
  <description>User statistics for you Horizon View farm</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="true" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.pool">
      <label>Pool</label>
      <choice value="*">All</choice>
      <choice value="*Windows 7">Windows 7</choice>
      <choice value="*Windows 10">Windows 10</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>DesktopDisplayName</fieldForLabel>
      <fieldForValue>DesktopDisplayName</fieldForValue>
      <search>
        <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Desktop Event Types Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType!=Null | timechart count by EventType</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType!=Null | stats count by EventType</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Desktop Logins Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Desktop Shutdown Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

<form theme="dark">
  <label>CONTOSO Horizon View Login Activity</label>
  <description>User statistics for you Horizon View farm</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="false" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.pool">
      <label>Pool</label>
      <choice value="*">All</choice>
      <choice value="*Windows 7">Windows 7</choice>
      <choice value="*Windows 10">Windows 10</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>DesktopDisplayName</fieldForLabel>
      <fieldForValue>DesktopDisplayName</fieldForValue>
      <search>
        <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$| stats count(_raw) as "Total Connections"</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendInterval">-24h</option>
        <option name="underLabel">Total Logins</option>
      </single>
      <single>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$  | stats dc(UserDisplayName) as "Total Users"</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-24h</option>
        <option name="underLabel">Total Users</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Frequent User Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) by UserDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) as Logins, count(UserDisplayName) as Percent by UserDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Frequent Pool Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) as Logins by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Frequent User Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) by MachineName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) as Machines, count(MachineName) as Percent by MachineName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Frequent Connection Managers</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) by host</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) as Logins by host</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

canalesjac
Path Finder

I found the answer to my question. VMWare Horizon can send data to Splunk as Syslog target. You can have your connection servers configured to send logs to Splunk. You can configure a Syslog input and create a VMWare index on port 514. You can then create custom dashboards. I recommend using Splunk universal forwarder dedicated for your Syslog input. You can find more information and an example dashboard in this post. Just create two new dashboards and import the attached xml dashboards.

Horizon View Login Dashboard

Horizon View Login Details Dashboard

<form theme="dark">
  <label>CONTOSO Horizon View Login Diagnostics</label>
  <description>User statistics for you Horizon View farm</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="true" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.pool">
      <label>Pool</label>
      <choice value="*">All</choice>
      <choice value="*Windows 7">Windows 7</choice>
      <choice value="*Windows 10">Windows 10</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>DesktopDisplayName</fieldForLabel>
      <fieldForValue>DesktopDisplayName</fieldForValue>
      <search>
        <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Desktop Event Types Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType!=Null | timechart count by EventType</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType!=Null | stats count by EventType</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Desktop Logins Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Desktop Shutdown Over Time</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">bottom</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

<form theme="dark">
  <label>CONTOSO Horizon View Login Activity</label>
  <description>User statistics for you Horizon View farm</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" searchWhenChanged="false" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.pool">
      <label>Pool</label>
      <choice value="*">All</choice>
      <choice value="*Windows 7">Windows 7</choice>
      <choice value="*Windows 10">Windows 10</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>DesktopDisplayName</fieldForLabel>
      <fieldForValue>DesktopDisplayName</fieldForValue>
      <search>
        <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$| stats count(_raw) as "Total Connections"</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendInterval">-24h</option>
        <option name="underLabel">Total Logins</option>
      </single>
      <single>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$  | stats dc(UserDisplayName) as "Total Users"</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-24h</option>
        <option name="underLabel">Total Users</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Frequent User Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) by UserDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) as Logins, count(UserDisplayName) as Percent by UserDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Frequent Pool Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) as Logins by DesktopDisplayName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Frequent User Logins</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) by MachineName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) as Machines, count(MachineName) as Percent by MachineName</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Frequent Connection Managers</title>
      <chart>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) by host</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <table>
        <search>
          <query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) as Logins by host</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="count">12</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

jqhe
Engager

Nice work!
Do you have TA or field extractions that you can share?

0 Karma

canalesjac
Path Finder

@jqheI do not have a TA sorry.

0 Karma

aftasuncion
Engager

Hello, thanks for this. I have one question though, does the syslogs from Horizon WS comes with the DesktopDisplayName and MachineName fields? We have a dedicated Splunk HF syslog and currently we are receiving the Horizon WS logs from there, and I don't see any desktop display name and machine name fields in the syslog.

canalesjac
Path Finder

@aftasuncion make sure that you have syslog configuration set on each Horizon View Connection Server in the Admin Console. Some people confuse this config with the ESXi Syslog which is a different log. The fields are all from the default HV syslog and there are no custom extractions. You may need to look at the raw data first to see if you are receiving the correct logs first. 

dbaccus_splunk
Splunk Employee
Splunk Employee

@canalesjac were you able to use the default syslog sourcetype to parse through the logs & pull out these fields?

0 Karma

canalesjac
Path Finder

Yes, all default.

0 Karma

canalesjac
Path Finder
0 Karma

abhisom
New Member

This is very nice. Quick question though..

How did you create the EvenetType values? Were they created as CustomFields? Or did you use a TA? Can you share the details on that please?

0 Karma

abhisom
New Member

Additionally, any pointers on how I can show number of users connected to VDI as a time series graph?

0 Karma

canalesjac
Path Finder

@abhisom all the graphs are based on default fields from the syslog. I did not have to create any custom extractions. You can create a time series graph for users connected by copying one of the panels and adding a timechart order by user name. 

0 Karma

damo66a
Explorer

This is awesome. thanks for spending the time. 

Quick question from me....do you have a rough idea on the amount of data this is sending to splunk? looking to do something similar to this and dont want to blow our license for splunk cloud.

 

cheers

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.