All Topics

Top

All Topics

Hi, We are working on developing a second version of the app. Our use-case is when the App is upgraded we need to clear the existing kvstore contents programmatically. And to NOTE we need to clear t... See more...
Hi, We are working on developing a second version of the app. Our use-case is when the App is upgraded we need to clear the existing kvstore contents programmatically. And to NOTE we need to clear this kvstore only at the beginning of the app upgrade. It will be great if you can share some guidelines on achieving this.    
1 search in a dashboard ends with "waiting for data" for 3 of about 300 organisations. The organisation-name is part of the url.  The search ends correctly for most of the organisations. After refr... See more...
1 search in a dashboard ends with "waiting for data" for 3 of about 300 organisations. The organisation-name is part of the url.  The search ends correctly for most of the organisations. After refreshing the search (in the dashboard) or clicking on the magnifying glass the result of the search is shown.  Job inspection gives no error. Any idea why what can be the reason that the result is not shown in the dashboard directly?
Hello Splunkers! I am collecting logs from multiple devices, a couple of them have different timezones, so I followed the instructions listed in the following link: https://docs.splunk.com/Docume... See more...
Hello Splunkers! I am collecting logs from multiple devices, a couple of them have different timezones, so I followed the instructions listed in the following link: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Applytimezoneoffsetstotimestamps#:~:text=To%20determine%20the%20time%20zone,TZ%20attribute%20set%20in%20props.   What I did was: [source::cisco] TZ = US/Eastern   The timestamp after this change is like this:   Instead of becoming 10:00 AM it did 7:00 AM +3:00   How can this be changed?
How can I extract all the data listed inside a dashboard using python SDK?
  Hi,  I have created table with host and grouped IP address the host will have public and private IP address So my table look like this Host             IP                      id Host A       ... See more...
  Hi,  I have created table with host and grouped IP address the host will have public and private IP address So my table look like this Host             IP                      id Host A        10.1.1.1         21                       172.1.1.1        i have ip range to identify the public ip. i need to create another field which if the range is match mean the result will be yes if not no i have used this query for the field  | eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No") but this eval only work on field which have 1 IP. in my group ip field, its not working. Please assist on this. Thank you
How do I change the colors of the destination nodes in the network diagram viz app especially if they are not present in the source column? For example, if I try | eval color=case(ip_dst="some_ip", "... See more...
How do I change the colors of the destination nodes in the network diagram viz app especially if they are not present in the source column? For example, if I try | eval color=case(ip_dst="some_ip", "blue").....nothing happens.
Hi Splunk Experts, I'm trying to list all the events on same timestamp and trying to capture only the required lines. But I'm not getting the expected results, seems like there is no "\n" in the ag... See more...
Hi Splunk Experts, I'm trying to list all the events on same timestamp and trying to capture only the required lines. But I'm not getting the expected results, seems like there is no "\n" in the aggregated event eventhough it breaks into new lines. Kindly shred some lights. Thanks in advance!!   I've events something like below, after aggregating them by _time:   Line1 blablabla Line2 blablabla <Interested line1> <Interested line2> <Interested line3> <Ends Here> Unwanted Line blablabla   Query Using:   index=xxx | reverse | stats list(_raw) as raw by _time | rex field=raw "(?<Events>(\<Interested.*)((\n.*)?)+\<Ends Here\>)"   Result for the Above query:   <Interested line1>    
Hi all, I created a lookup 6 months ago and now i have hundreds of lookup and i forgot what was it's name. I am looking for an IP address in which lookup it is but i couldn't find a way to do this. ... See more...
Hi all, I created a lookup 6 months ago and now i have hundreds of lookup and i forgot what was it's name. I am looking for an IP address in which lookup it is but i couldn't find a way to do this. I want to find out which lookup an IP address is in. Any help would be appreciated!
Hello  I'm trying to figure out How can I use kinda if...else condition in my Splunk query. I've set up two metrics, which are sending data to Splunk. Each matrix have different index value.  Fo... See more...
Hello  I'm trying to figure out How can I use kinda if...else condition in my Splunk query. I've set up two metrics, which are sending data to Splunk. Each matrix have different index value.  For Example: For Matrix A the index is "index=aData" and for Metric B index is "index=bData". Currently in Splunk I'm seeing duplicate data because both metrics are sending same value. So what I'm trying to achieve is:  1. First look for data if coming from "index=aData" 2. If able to see data from index "aData" show me the results  3. else check the data from "bData" (Not looking for "OR " condition)  Results should show the data only from 1 index to avoid duplicity.   
Splunk dashboard: We have a dropdown with 2 possible values, option1 and option2. Based on what user selects, ( option1: "A" or "B" ) gets added to both base-query and query OR  option2: ("X" or "... See more...
Splunk dashboard: We have a dropdown with 2 possible values, option1 and option2. Based on what user selects, ( option1: "A" or "B" ) gets added to both base-query and query OR  option2: ("X" or "Y") gets added to both base-query and query.  1. If user selects "option1", query is <search id="base_query"> <query>index=logs sourcetype=ci "Shipping Finished" ("A" OR "B") ...</query> <search base="base_query"> <query> | join some_field [ search index=logs sourcetype=ci | search ("A" OR "B") AND "Received complete status" 2. If user selects "option2", query is: <search id="base_query"> <query>index=logs sourcetype=ci "Shipping Finished" ("X" OR "Y") ... </query> <search base="base_query"> <query> | join some_field [ search index=logs sourcetype=ci | search ("X" OR "Y") AND "Received complete status"
Hello, I am attempting to install the Splunk Stream but am running into issues after installing the necessary packages. I am installing the Stream App on a standalone Splunk instance on a VM and hav... See more...
Hello, I am attempting to install the Splunk Stream but am running into issues after installing the necessary packages. I am installing the Stream App on a standalone Splunk instance on a VM and have tried on Ubuntu 22.04, Windows 10, Windows 2019 Server both on-premise and in AWS/Azure and am running to the exact same issue.  After installing the Splunk App for Stream, Wire Data add-on, and Stream Forwarder add-on as instructed on the link below,  when I check the 'Collect data from this machine using Wire Data input (Splunk_TA_stream)', I get the following error:  Failed to detect Splunk_TA_stream status.  https://docs.splunk.com/Documentation/StreamApp/7.4.0/DeployStreamApp/InstallSplunkAppforStreaminasingleinstance#:~:text=of%20Splunk%20Enterprise.-,Set%20up%20data%20collection%20on%20the%20local%20machine,-Select%20the%20Collect Pressing 'Redetect' does not help and running the permissions.sh script does not change anything. The Splunk instance itself is a fresh install (no additional configurations) and no other Apps besides Stream and its required add-ons have been installed. Can someone please hep provide an explanation to this error code I am getting and why it is happened, regardless of which OS I am using? Is there additional steps I must complete? Any guidance is appreciated. The workflow I have done is as follows: 1. deploy VM (on-prem or cloud, I have used both Ubuntu 22.07 and Windows) 2. install Splunk Enterprise on new VM 3. install Splunk App for Stream, Wire Data add-on, and Stream Forwarder 4. Restart the Splunk instance
August 2023      Public Sector Adoption Boards Splunk is constantly looking for ways to better support you on your journey to building better digital resilience. We recently launched ... See more...
August 2023      Public Sector Adoption Boards Splunk is constantly looking for ways to better support you on your journey to building better digital resilience. We recently launched three new microsites (aka adoption boards), highlighting the latest content, how-to’s, and use cases for Federal Civilian, Department of Defense, and SLED organizations to use on your Splunk journey.  Federal Civilian Agencies Department of Defense SLED Organizations Remember to bookmark these pages for future reference and look out for more content updates in the coming months! If you have any feedback or recommendations for this board, please be sure to give us your thoughts here.     See You in September Splunk Public Sector continues to support customers and partners at industry events and with education and training. Please stop by and see Splunk at any one of these Civilian, DoD, or State/Local and Educational events in September. Date Event Location Website 9/5-8 Billington Cybersecurity Summit Washington, DC Website 9/7 CT Digital Government Summit Hartford, CT Website 9/13 COVITS Richmond, VA Website 9/14 ME Digital Government Summit Augusta, ME Website 9/18-21 TribalNet San Diego, CA Website 9/20-21 National Cyber Summit Huntsville, AL Website 9/21 Potomac Officers Club Intel Summit Washington, DC Website 9/24-27 MISAC Rancho Mirage, CA Website   Zero Trust - More Important than Ever Splunk is teaming with several industry partners on Zero Trust solutions for Public Sector.   Look for more information on this collaboration soon and be sure to check out Splunk’s latest Zero Trust information in the eBook Essential Guide to Zero Trust and just-released Brief on How Splunk Supports the DoD Strategy.        September Virtual Workshops Did you know that over 2500 individuals participated in Splunk’s Virtual Public Sector Workshops in the past 6 months?  Be sure to check out September's classes that include Splunk 4 Rookies (Sept 7), IT Foundations (Sept 14), and RBA (Sept 28).  These ~3-hour workshops are led by Splunk SEs and are free to attend.      Splunk AI: Catalyzing Digital Resilience in Cybersecurity and Observability Artificial Intelligence (AI) has the potential to transform our industry. At Splunk, we see it as a catalyst for driving digital resilience — a way to accelerate human decision making in service of incident detection, investigation and response. Read this blog to learn more about Splunk’s AI strategy, vision, and newest capabilities.      An Introductory Use Case Guide: Splunk Artificial Intelligence for Observability Read “An Introductory Use Case Guide: Splunk Artificial Intelligence for Observability” to learn how organizations use anomaly detection, predictive analytics and clustering in Splunk to decrease downtime and foster innovation. This includes an introduction to AI and ML in observability, an overview of the Splunk AI/ML portfolio, and how to start your AI/ML project.     Tech Talks, Office Hours and Lantern   Tech Talks New Enhancements with Splunk Enterprise 9.1 Our latest product innovations support integrated workflows and improved user experiences. This makes it easier for you to detect and predict issues, find root cause, assess risk and impact radius, and remediate — quickly, accurately, at scale. Top 5 Summer Playlist! Immerse yourself in our top 5 technical deep dives and discover a world of knowledge this summer. Whether you’re a seasoned practitioner or an enthusiastic newcomer there’s plenty to choose from. Play Now   Admin Office Hours Office Hours - Getting Data In Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour session for Getting Data In (GDI), where you can ask questions and get guidance on how to onboard your data sources, forwarder setup and troubleshooting, ingest actions, Edge Processor, and more! Limited Spots Available - Register Now! Getting Data In: Forwarders & Edge Processor - Wed, Aug 23 at 1pm PT/4pm ET Getting Data In: Platform (EMEA) - Wed, Sep 9 at 8am ET / 4pm UK time   Splunk Lantern - Read our latest blog update! This month we’re sharing all the new articles we’ve published over the past month, with lots of interesting new use cases, product tips, and data articles. We’re also asking for your vote in our Customer Choice Content Competition! Over the quarter we’ve been developing articles that meet direct asks from you, our customers, and now we want to hear which one is your favorite. Read on to find out more!     Education Corner Hot Cybersecurity Courses Added to the Splunk Free Training Catalog  It’s summertime in the Northern Hemisphere, which means it’s pretty hot everywhere. And the Splunk Education course curriculum is no exception! If you’re an aspiring Blue Team Academy defender, we’ve recently added two more free courses to our growing curriculum of over 40 free self-paced learning courses. Check out “The Cybersecurity Landscape” and “Security Operations and the Defense Analyst” courses now available and accessible anywhere, anytime.  Validate Your Splunk Certified Developer Skills Before It’s Too Late The Splunk Certified Developer Certification is being taken out of the rotation on September 30, 2023. So, if you want to become a Splunk Certified Developer and build some killer apps with the Splunk web framework, the clock is ticking. Get your training on by following the Developer Track and reviewing the exam study guide. If you currently hold the certification/badge, it will remain valid until its current expiration date – but you may want to consider recertifying before it’s gone to extend the validity of your certification for another three years.  Get a New Certification to Validate Your Cybersecurity Expertise Showcased at .conf23,  the Splunk Certified Cybersecurity Defense Analyst (CDA) certification exam is now open to the public in beta – for FREE. So, look over the study materials, take the exam, and show the world you're a Splunk Certified Cybersecurity Defense Analyst. We’ll give you a badge to prove it too!  Earn Summer-themed Splunk Swag with the Splunk Learning Rewards Program Are you making the most of your company's Splunk Education training units? If not, we've got an exciting program to incentivize you! Introducing the Splunk Learning Rewards Program.Earn points for each completed course, redeemable for awesome Splunk swag. Check out our limited-time Summer-themed rewards on the Learning Rewards site. Register and complete courses before your training units expire! Find out more here.  Meet Us in the Community| The Place to Learn and Share We love our Splunk Community members and we’re always looking for ways to make their experience even more fulfilling. This is why we recently expanded our online presence with the new Splunk Training and Certification Community Site! Here, you can connect with other like-minded curious members looking to share their knowledge and learn something new. It’s also a place where you can bring your passion and your point of view. Find out what’s new with Splunk Education – and all-things Training and Certification.      Talk with us about Splunk! The Splunk product design team wants to learn about how you use our products. If you’re interested in contributing, please fill out this quick questionnaire so we can reach out to you. This may take such forms as a survey, receiving an email to schedule an interview session, or some other type of research invitation. We look forward to hearing from you!       Until next month, Happy Splunking
Please indicate an application available in the splunk store (Find more Apps), preferably free. What possibility to establish authentication to an api type bearer? I installed the "REST API Modular... See more...
Please indicate an application available in the splunk store (Find more Apps), preferably free. What possibility to establish authentication to an api type bearer? I installed the "REST API Modular Input" app, but the activation key needs to be purchased.
Is it possible to create notable events in Splunk Cloud or is it only native to Enterprise Security?  The detection rule below is creating actions=risk, notable and assigning some parameters in the n... See more...
Is it possible to create notable events in Splunk Cloud or is it only native to Enterprise Security?  The detection rule below is creating actions=risk, notable and assigning some parameters in the notable event. Is it possible to implement this rule as it is with actions notable events in Splunk Cloud or is it only possible in Enterprise Security? I know the alert can be created in Splunk Cloud with its alerting feature, but I am wondering if we need to modify the actions part of the detection rule if notable events do not exist in Splunk Cloud. Thank you. [Possible Remote Administration Tools Detected (via office365)] alert.severity = 3 description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device. cron_schedule = 0 * * * * disabled = 1 is_scheduled = 1 is_visible = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now search = index=* ((Operation="FileUploaded" OR Operation="FileAccessed" OR Operation="FileDownloaded") alert.suppress = 0 alert.track = 1 actions = risk,notable action.risk = 1 action.risk.param._risk_object_type = user action.risk.param._risk_score = 75 action.correlationsearch = 0 action.correlationsearch.enabled = 1 action.notable.param.rule_title = Possible Remote Administration Tools Detected (via office365) action.notable.param.rule_description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.  action.correlationsearch.label = Possible Remote Administration Tools Detected (via office365) action.correlationsearch.annotations = {"mitre_attack": ["T1204"]}
Is there an SBOM released for Splunk and ideally for all the apps and add ons in splunkbase? We are looking to create an SBOM where splunk is part of our solution and as a result need an SBOM for spl... See more...
Is there an SBOM released for Splunk and ideally for all the apps and add ons in splunkbase? We are looking to create an SBOM where splunk is part of our solution and as a result need an SBOM for splunk itself. Any pointers are appreciated.  https://www.splunk.com/en_us/blog/learn/sbom-software-bill-of-materials.html
Just installed Splunk App for Lookup File Editing 4.0.1 in Splunk Enterprise 9.0.5. The app loads after restart.  But it gives “The lookup could not be loaded from the server” when I try to open an e... See more...
Just installed Splunk App for Lookup File Editing 4.0.1 in Splunk Enterprise 9.0.5. The app loads after restart.  But it gives “The lookup could not be loaded from the server” when I try to open an existing lookup; it gives the same error after I click “Save” when I create a new lookup.  The file is created; but a corresponding lookup definition is not.  How do I make the app work? Following a suggestion in https://community.splunk.com/t5/All-Apps-and-Add-ons/Upgraded-Lookup-Editor-3-0-5-Errors-String-value-too-long-and/m-p/445645#M68591, I performed a search       index=_internal (sourcetype="lookup_editor_controller" OR sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler) testedit       The only error entry reads       ERROR force lookup replication failed: user=admin, namespace=search, lookup_file=testedit, details=a bytes-like object is required, not 'str' Traceback (most recent call last): File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 419, in update self.force_lookup_replication(namespace, lookup_file, session_key) File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 295, in force_lookup_replication if 'No local ConfRepo registered' in content: TypeError: a bytes-like object is required, not 'str'       Before this error, there were two DEBUG entries and one INFO.  In chronological order:       DEBUG destination_lookup_full_path=/opt/splunk/etc/apps/search/lookups/testedit DEBUG Creating a new lookup file, user=nobody, namespace=search, lookup_file=testedit, path="/opt/splunk/var/run/splunk/lookup_tmp/lookup_gen_20230818_181212_7r7p4o8s.txt" INFO Lookup created successfully, user=admin, namespace=search, lookup_file=testedit, path="/opt/splunk/etc/apps/search/lookups/testedit"       After I manually define a lookup with this file, I am able to use it.  But the editor still cannot open it.
I have an indexer RHEL7 server that is DEAD.  I have no way of getting into it to run any commands.  I was able to remove it from the Index Cluster using:  splunk remove cluster-peers -peers <guid> ... See more...
I have an indexer RHEL7 server that is DEAD.  I have no way of getting into it to run any commands.  I was able to remove it from the Index Cluster using:  splunk remove cluster-peers -peers <guid>  However, it is still in the Monitoring Console as an instance unreachable.  How can I fully remove it?
    August 2023  Introducing Splunk Attack Analyzer  Splunk is excited to introduce a new addition to the Splunk unified security operations experience: Splunk Attack Analyzer (formerly... See more...
    August 2023  Introducing Splunk Attack Analyzer  Splunk is excited to introduce a new addition to the Splunk unified security operations experience: Splunk Attack Analyzer (formerly Twinwave), which automates threat analysis of suspected malware and credential phishing threats by identifying and extracting associated forensics to provide accurate and timely detections.   The Latest from SURGe  The SURGe security research team recently launched The Security Detail, a podcast that examines cyber threats across different industries. View episode information on this blog or listen on Apple Podcasts, Spotify or Podbean.  Bluenomicon: The Network Defender’s Compendium, a book of essays curated by the SURGe team, is now available digitally. Download your copy today.  Recordings of SURGe RSAC 2023 speaking sessions are now available: Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates Rethinking Recruiting: Effective Hiring Practices to Close the Skills Gap   Threat Informed Planning with Macro-level ATT&CK Trending   Splunk SOAR Playbook of the Month: Threat Hunting and Investigations For the latest series entries, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Threat Hunting to learn how playbooks can help you automatically hunt for indicators of compromise, identify those threats in your environment, learn the details of the affected machine, and how to better explore the affected file system. Then read this month’s blog on Investigations to see how you can perform investigations at machine speed using Splunk SOAR and one of our investigation playbooks, Internal Host WinRM Investigate. Big News from OCSF The Open Cybersecurity Schema Framework (OCSF) is an open-source project established by Splunk, AWS and 16 other security and technology companies to remove security data silos and standardize data formats across security tools to help defenders rapidly detect and neutralize cyber threats. Learn more in this blog.  Splunk Enterprise and Splunk Cloud customers can readily ingest and analyze OCSF-formatted data from sources such as Amazon Security Lake or AWS AppFabric using the Splunk Add-On for AWS. Splunk Enterprise Security customers will also need the OCSF-CIM Add-On. Both the add-ons are available on Splunkbase at no extra charge.   Splunk AI: Catalyzing Digital Resilience in Cybersecurity and Observability Artificial Intelligence (AI) has the potential to transform our industry. At Splunk, we see it as a catalyst for driving digital resilience — a way to accelerate human decision making in service of incident detection, investigation and response. Read this blog to learn more about Splunk’s AI strategy, vision, and newest capabilities.  The SANS 2023 SOC Survey  Learn about the latest capabilities, architecture and technology of the modern security operations center (SOC) in the 2023 SANS SOC Survey report   New blogs to help you make the most of Splunk Security New PEAK Threat Hunting Framework blogs for turning hunts into detections and measuring hunting success Identifying BOD 23-02 Network Management Interfaces with Splunk UK TSA Regulations: SOC Teams, Get Ready!  DevSecOps is Here! Developers and SREs, Meet the SOC Team Security Content from the Splunk Threat Research Team  The Splunk Threat Research Team has had two releases of security content in the last month, which provide 8 new detections, 16 updated detections and 7 new analytic stories. Read the Product News & Announcements post to learn more and check out these blogs to help you stay ahead of threats:  Amadey Threat Analysis and Detections I am the Snake Now: Analysis of Snake Malware Machine Learning in Security: Detect DNS Data Exfiltration Using Deep Learning  Join The Great Resilience Quest! The quest for digital resilience has officially kicked off at .conf23! 400+ participants loved seeing the new path to greater resilience come to life at the Success Zone and played the virtual quest.  Missed .conf? Worry not as you too can join the virtual "The Great Resilience Quest" to explore new use cases and put your Splunk know-how to the test. This quest is welcoming adventurers throughout the year! Embark on this quest to learn how to implement Security + Observability use cases and get the right support from Splunk experts that make you ‘ready for anything’.  It’s never too late to join this adventure. Join the challenge, expand your horizons and win prizes! Play now! Tech Talks, Office Hours and Lantern   Tech Talks OCSF, Amazon Security Lake and Splunk Tuesday, August 29, 2023 | 10AM PT / 1PM ET Register to Attend A technical overview on Open Cybersecurity Schema Framework (OCSF), Amazon Security Lake, how they integrate with Splunk today and where things are heading.   Top 5 Summer Playlist! Immerse yourself in our top 5 technical deep dives and discover a world of knowledge this summer. Whether you’re a seasoned practitioner or an enthusiastic newcomer there’s plenty to choose from. Play Now   Admin Office Hours Office Hours - Getting Data In Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour session for Getting Data In (GDI), where you can ask questions and get guidance on how to onboard your data sources, forwarder setup and troubleshooting, ingest actions, Edge Processor, and more! Limited Spots Available - Register Now! Getting Data In: Forwarders & Edge Processor - Wed, Aug 23 at 1pm PT/4pm ET Getting Data In: Platform (EMEA) - Wed, Sep 9 at 8am ET / 4pm UK time   Splunk Lantern - Read our latest blog update! This month we’re sharing all the new articles we’ve published over the past month, with lots of interesting new use cases, product tips, and data articles. We’re also asking for your vote in our Customer Choice Content Competition! Over the quarter we’ve been developing articles that meet direct asks from you, our customers, and now we want to hear which one is your favorite. Read on to find out more!   Education Corner Validate Your Splunk Certified Developer Skills Before It’s Too Late Hot Cybersecurity Courses Added to the Splunk Free Training Catalog  It’s summertime in the Northern Hemisphere, which means it’s pretty hot everywhere. And the Splunk Education course curriculum is no exception! If you’re an aspiring Blue Team Academy defender, we’ve recently added two more free courses to our growing curriculum of over 40 free self-paced learning courses. Check out “The Cybersecurity Landscape” and “Security Operations and the Defense Analyst” courses now available and accessible anywhere, anytime.    Get a New Certification to Validate Your Cybersecurity Expertise Showcased at .conf23,  the Splunk Certified Cybersecurity Defense Analyst (CDA) certification exam is now open to the public in beta – for FREE. So, look over the study materials, take the exam, and show the world you're a Splunk Certified Cybersecurity Defense Analyst. We’ll give you a badge to prove it too!  Until next month, Happy Splunking  
I have a Splunk container for development (Dev).  I want to import a slice of data from one index of my production Splunk (Prod) to this container so I can write searches against that data exactly as... See more...
I have a Splunk container for development (Dev).  I want to import a slice of data from one index of my production Splunk (Prod) to this container so I can write searches against that data exactly as it appears in Prod.  Using Export on Prod and Import on Dev is not producing my desired outcome.  Doing this as a single file with a single indexing is creating logs that are indexing the container hostname as the host not the host of the data itself.  The data in the Prod index is of varying sourcetypes so the import is also only creating the sourcetype of the import file, not tha sourcetype from the data itself.  I'm looking at possibly using the  EventGen app but not sure if this will do what I'm trying to do. Is what I'm doing possible?  I do not want the entire prod index. I do not want to rsync or otherwise go to the backend to move data.   EDIT: I modified the title, it seems I want the raw data and metadata to all come over in one package?
      August 2023      New in Splunk Observability Cloud: Enhancements to the Kubernetes Navigator Splunk delivers greater visibility, more intuitive exploration, and s... See more...
      August 2023      New in Splunk Observability Cloud: Enhancements to the Kubernetes Navigator Splunk delivers greater visibility, more intuitive exploration, and seamless troubleshooting for your Kubernetes components and containerized services with the recent updates to the Kubernetes navigator within Splunk Infrastructure Monitoring (IM). While you already had access to this Kubernetes monitoring solution out-of-the-box, the latest enhancements feature a more intuitive navigation, deeper visibility of your complete Kubernetes environment, and assisted troubleshooting.  Learn more       Experience Unified Identity between Observability Cloud and Splunk Platform You can now seamlessly access Splunk Cloud and Splunk Observability data with one same user identity! As you’re investigating an issue in Splunk Cloud Platform, you can maintain context and effortlessly navigate into Splunk Observability Cloud with our new single sign on feature. We’re also making it easy for Splunk admins to manage user data access by extending Splunk Cloud’s role-based access control in Splunk Observability Cloud, so that meeting internal compliance requirements is no longer a headache. For more info, take a look at our technical documentation here.     Splunk RUM Now Available in Australia  Splunk Real User Monitoring (RUM) officially expands regional availability to Australia. Splunk RUM is one of Splunk’s Digital Experience Monitoring (DEM) solutions that helps engineering teams proactively identify problems before customers notice and improve uptime and performance to deliver enhanced experiences that win customers.     ICYMI: Splunk Observability Cloud Named a Leader in the 2023 Gartner Magic Quadrant Splunk was named a Leader in the Gartner Magic Quadrant for Application Performance Monitoring and Observability this year. Download your complimentary copy of the report here to learn about key trends in APM and observability, and more!   Splunk AI: Catalyzing Digital Resilience in Cybersecurity and Observability Artificial Intelligence (AI) has the potential to transform our industry. At Splunk, we see it as a catalyst for driving digital resilience — a way to accelerate human decision making in service of incident detection, investigation and response. Read this blog to learn more about Splunk’s AI strategy, vision, and newest capabilities.      Federated Search for Amazon S3 webinar: View our on-demand webinar: “Federated Search: How to Seamlessly Search Your Data With Splunk & AWS" to learn more about this latest generally available feature that will open up new possibilities for searching your data. In partnership with the AWS team, we will discuss common use cases for log analytics on Amazon S3 using Splunk and AWS Glue.     An Introductory Use Case Guide: Splunk Artificial Intelligence for Observability Read “An Introductory Use Case Guide: Splunk Artificial Intelligence for Observability” to learn how organizations use anomaly detection, predictive analytics and clustering in Splunk to decrease downtime and foster innovation. This includes an introduction to AI and ML in observability, an overview of the Splunk AI/ML portfolio, and how to start your AI/ML project.     Join The Great Resilience Quest! The quest for digital resilience has officially kicked off at .conf23! 400+ participants loved seeing the new path to greater resilience come to life at the Success Zone and played the virtual quest.  Missed .conf? Worry not as you too can join the virtual "The Great Resilience Quest" to explore new use cases and put your Splunk know-how to the test. This quest is welcoming adventurers throughout the year! Embark on this quest to learn how to implement Security + Observability use cases and get the right support from Splunk experts that make you ‘ready for anything’.  It’s never too late to join this adventure. Join the challenge, expand your horizons and win prizes! Play now!     Tech Talks, Office Hours and Lantern   Tech Talks From Insights to Action: Modern Performance Metrics That Drive Exceptional User Experiences Tuesday, August 29, 2023 | 11AM PT / 2 PM ET  Register to Attend Learn how to gain end to end visibility into your end user’s experiences, optimize performance and uptime for your business critical applications. This session explores the key elements of Splunk’s Digital Experience Monitoring (DEM), including Real User Monitoring, Synthetic Monitoring, and Web Optimization. New Enhancements with Splunk Enterprise 9.1 Our latest product innovations support integrated workflows and improved user experiences. This makes it easier for you to detect and predict issues, find root cause, assess risk and impact radius, and remediate — quickly, accurately, at scale. Top 5 Summer Playlist! Immerse yourself in our top 5 technical deep dives and discover a world of knowledge this summer. Whether you’re a seasoned practitioner or an enthusiastic newcomer there’s plenty to choose from. Play Now   Admin Office Hours Office Hours - Getting Data In Interested in getting live help from technical Splunk experts? Join our upcoming Community Office Hour session for Getting Data In (GDI), where you can ask questions and get guidance on how to onboard your data sources, forwarder setup and troubleshooting, ingest actions, Edge Processor, and more! Limited Spots Available - Register Now! Getting Data In: Forwarders & Edge Processor - Wed, Aug 23 at 1pm PT/4pm ET Getting Data In: Platform (EMEA) - Wed, Sep 9 at 8am ET / 4pm UK time   Splunk Lantern - Read our latest blog update! This month we’re sharing all the new articles we’ve published over the past month, with lots of interesting new use cases, product tips, and data articles. We’re also asking for your vote in our Customer Choice Content Competition! Over the quarter we’ve been developing articles that meet direct asks from you, our customers, and now we want to hear which one is your favorite. Read on to find out more!       Education Corner Validate Your Splunk Certified Developer Skills Before It’s Too Late The Splunk Certified Developer Certification is being taken out of the rotation on September 30, 2023. So, if you want to become a Splunk Certified Developer and build some killer apps with the Splunk web framework, the clock is ticking. Get your training on by following the Developer Track and reviewing the exam study guide. If you currently hold the certification/badge, it will remain valid until its current expiration date – but you may want to consider recertifying before it’s gone to extend the validity of your certification for another three years.    Earn Summer-themed Splunk Swag with the Splunk Learning Rewards Program Are you making the most of your company's Splunk Education training units? If not, we've got an exciting program to incentivize you! Introducing the Splunk Learning Rewards Program.Earn points for each completed course, redeemable for awesome Splunk swag. Check out our limited-time Summer-themed rewards on the Learning Rewards site. Register and complete courses before your training units expire! Find out more here.    Meet Us in the Community| The Place to Learn and Share We love our Splunk Community members and we’re always looking for ways to make their experience even more fulfilling. This is why we recently expanded our online presence with the new Splunk Training and Certification Community Site! Here, you can connect with other like-minded curious members looking to share their knowledge and learn something new. It’s also a place where you can bring your passion and your point of view. Find out what’s new with Splunk Education – and all-things Training and Certification.      Talk with us about Splunk! The Splunk product design team wants to learn about how you use our products. If you’re interested in contributing, please fill out this quick questionnaire so we can reach out to you. This may take such forms as a survey, receiving an email to schedule an interview session, or some other type of research invitation. We look forward to hearing from you!       Until next month, Happy Splunking