Hi everyone! Here are a few questions from the session, as well as the link to the on-demand recording (get the full Q&A deck and recording in the #office-hours Slack channel as well)  Q1:  a) Can you show us some best in-class examples of executive dashboards made in ITSI?​ ​b) Interested in examples of Executive Dashboards for visualizing/comparing the health of a set of critical services. Answer​ Focus on Executive-Relevant Metrics​ High-level KPIs like service health scores, availability, and business impact indicators.​ Clear & Intuitive Visualizations​ Real-time data, color-coded health status, and clickable drill-downs.​ Show Service Relationships & Dependencies​ Visualize dependencies to understand impact across services.​ Provide Business Context​ Correlate IT health with business outcomes and customer experience.​ Keep Interface Simple & Focused​ Limit KPIs and services shown; use summary views with drill-down options.​ This approach empowers executives with a clear, actionable view of critical service health for informed decision-making and rapid response​. Documentation:​ Splunk Docs: Glass Tables​ The Top 10 Glass Table/Dashboard Design Principles to Boost Your Career and Your Business Q2: Can you give an overview of Event Analytics and demonstrate how Event IQ adds value here? Answer:​ Event Analytics (EA) is an alarm aggregation platform that is a companion tool to Service Analytics but may be used separately as a Monitor of Monitors​ Event analytics accepts alarm conditions ("notable events") from Service Analyzer as well as external (non-ITSI) tools:​ Splunk Alerts​ Splunk O11y Cloud​ Non-Splunk (3rd party) monitoring tools and solutions​ EA performs alarm deduplication and grouping into "episodes" (bundled related alarms) which can trigger any defined external action via an ITSM tool, Splunk alert actions, Splunk On-Call, messaging apps and tools, orchestration software...​ Event IQ is a new ML-powered feature in EA to perform intelligent alarm grouping into episodes with minimal-preconfiguration or understanding of alarm source relationships​ Currently: define key fields and their perceived values to be weighted in alarm grouping decisions​ Coming: full field discovery for grouping/weighting purposes​ Documentation:​ Event Analytics: https://docs.splunk.com/Documentation/ITSI/4.20.1/EA/AboutEA ​ Event IQ: https://help.splunk.com/en/splunk-it-service-intelligence/splunk-it-service-intelligence/detect-and-act-on-notable-events/4.21/event-correlation/automate-event-correlation-with-event-iq-in-itsi ​Q3: How do you create a KPI without using a content pack, such as AppDynamics?​ Answer​ KPI creation and configuration is done via the Service configuration UI as well as the Service Template configuration UI. High level config steps:​ Step​ Task​ Description​ Optional/Required​ 1​ Define a KPI source search​ A search string that you define as the basis for your KPI, using a data model, an ad hoc search, a metrics search, or a base search.​ Required​ 2​ Split and filter by entities​ Break down the KPI to apply the search to multiple entities, enabling comparative analysis of search results on a per-entity basis. Filter entities in or out of the KPI search.​ Optional​ 3​ Configure KPI monitoring calculations​ The recurring KPI search schedule and the statistical operations performed on the search results, including service health score calculations.​ Required​ 4​ Define KPI unit and monitoring lag​ Define the unit of measurement to display for the KPI. Configure the monitoring lag to offset indexing lag.​ Optional​ 5​ Enable backfill​ Fills the summary index with historical raw service health score data.​ Optional​ 6​ Configure KPI thresholds​ Severity-level thresholds that you apply to KPI search results. Thresholds let you monitor KPI status (normal, low, medium, high, and critical) and set trigger conditions for alerts.​ Required​ 7​ Configure KPI thresholds with machine learning in ITSI​ Use machine learning to analyze your KPIs with existing data and generate recommendations for optimal threshold values. Thresholds let you monitor KPI status (normal, low, medium, high, and critical) and set trigger conditions for alerts.​ Optional​ ​ Documentation:​ Splunk Docs: Create KPIs​ Splunk Lantern: Using SRE golden signals for KPIs Question 4: What is “drift detection” and how is that used?​ Answer:​ ​ Drift detection is used to identify changes in KPI behavior that happen over a long period of time not normally captured by Adaptive Thresholding – the "frog in the boiling pot of water" scenario​ Adaptive Thresholds: training max 60 days​ Drift Detection: training min 90 days     Documentation: Splunk Docs: Configure Drift Detection​ Splunk Docs: Migrate Anomaly Detection to Adaptive Thresholding​ Q5: What are best practices to deal with events as fast as they are generated? Answer​ Identify the alert data sources​ If ITSI supports alerts data integration for these sources (i.e., tools), use those ootb onboarding and normalization templates to normalize alerts​ Use lookup-based enrichment policies for enriching alerts from sources such as CMDB​ Use ootb NEAPs provided in Content Pack for monitoring and alerting for aggregating / grouping alerts ​ Be on ITSI 4.21 version to make sure of these latest capabilities incl. New queue-based event pipeline that brings higher scale and reduced latency ​ Documentation:​ https://help.splunk.com/en/splunk-it-service-intelligence/splunk-it-service-intelligence/detect-and-act-on-notable-events/4.21/overview/overview-of-event-analytics-in-itsi ​ Question 6: Can we learn more about ITSI integrations with Teams and Slack?​ ​ Answer​ Splunk ITSI’s Teams and Slack integrations are Splunk-supported & maintained, available on the Splunkbase website.  The integrations (content packs) do way more than help notify teams: ​ They streamline automatic alerting for correlated events and service health notifications They support actions and workflows within Teams and Slack, like posting messages, getting info about users, or even starting a SlackBot and making health checks In Teams, configure potential actions that allow for 3rd-party interactions between Splunk or a 3rd-party app from Teams ​ Documentation:​ Gain quick access w/ the Splunk App for Content Packs ​ Splunkbase apps for Slack, and Teams​ (Check here for troubleshooting Teams)​ ​ ... View more

You can view the On-Demand recording here (pw: FpvBfrn6) and slide deck here, but here is a sampling of questions covered in the event. Q1: Can I get some guidance on Agent installation and configuration? A: For AppDynamics, there are many ways to install and configure an Agent.  Below are the options: Manual configuration and installation Follow the getting started wizard on the Overview page Using automation like ansible or some other orchestration system to deploy applications and inject the agent and configuration If containerized and running in Kubernetes, you could use the auto instrumentation feature of the AppD cluster agent to deploy agents AppDynamics has a feature called SmartAgent that can install, configure and manage agents once smartagent is installed. Documentation: Getting started with application Agents Using Automation to install and manage application Agents Use auto instrumentation for Kubernetes using the AppD Cluster Agent Using SmartAgent to install and manage agents Q2: What is the best way to identify failure/error trends on a periodic basis (ex: after a software release of our internal product)? A:  Define the time frame you want to compare, where one is the older application code, and the second is the new release Create custom Dashboards and Health Rules displaying key error metrics (e.g., Error Rates, Response time, calls per minute) for your product’s  overall application performance, tiers and business transactions. Dash Studio has a built in feature that allows you to timeline comparison using key metrics and business transactions using Widget time ranges Documentation: Dash Studio Widget Time Ranges Q3: What are some best practices for filtering out “white noise”? A: "White noise" in AppDynamics typically refers to excessive alerting especially one that are not actionable. Optimize Error Configuration and Slow Transaction Thresholds  For Health Rules combine multiple conditions to get a clear technical problem definition for each monitor event (e.g., "Error Rate > 5% AND Calls Per Minute > 100")  Fine-Tune Health Rules making sure we set conditions with realistic thresholds and proper baselines  Use the <n> times in a time period to avoid single outliers creating monitor events.   Optimize Business Transaction (BT) Detection and Configuration, exclude irrelevant BTs those that are not critical to your business or application performance, lock down the relevant BT and review on a regular basis.  Don’t overdo it focus on alerts that actionable Take Advantage of Anomaly detection  Documentation: Dynamic Baselines Setup Health Rules Refine Business Transactions Anomaly Detection Q4: Does AppDynamics support OpenTelemetry? A:  Yes, AppDynamics SaaS currently supports OpenTelemetry Traces and Spans AppDynamics On-Premise Virtual Appliance is planned to support OTEL in the near future   AppDynamics also provides its own version of the OTEL collector that can be configured to send data to the controller OpenTelemetry end point In Americas, its supported in Oregon and Sao Paulo Regions In EMEA, its supported in Frankfurt and coming soon to London In APAC, its supported in Mumbai, Singapore and Sydney Documentation: AppDynamics OpenTelemetry Support Supported Regions Q5: Can you share some guidance around JVM Tuning? A: Appdynamics recommends that in resource-intensive environments where Splunk AppDynamics features, such as asynchronous transaction tracking, developer mode that result in a high number of metrics or snapshots reported per minute can affect agent resource consumption. In these cases, its recommended to increase the Heap and PermGen settings for the agent. Maximum heap size (-Xmx): 100 MB in addition to the amount required by the application Maximum PermGen (permanent generation) heap size (-XX:MaxPermSize): 20 MB in addition to the amount required by the application. The setting for MaxPermSize is applicable only for Java 6 or Java 7.  JVM option is no longer relevant in Java 8 and later versions Documentation: Java agent resource overhead Tune Java Agent Performance ... View more

You can view the On-Demand recording at the link above and slide deck here, but here is a sampling of questions covered in the event. Q1: Can you help me understand the two different types of anomaly detection in ITSI?  A: Anomaly Detection within Splunk ITSI uses machine learning to detect trend & event level anomalies, and alert teams. ITSI analyzes when data deviates from expected patterns, thresholds, and historical behavior to provide insights into detected patterns & uncover new patterns across multiple events that could indicate a potential issue. Entity cohesion anomaly detection analyzes asset data in a peer group, and identifies when some deviate from their common behavior Trending anomaly detection analyzes patterns in events for both sudden changes, and long-trending historical anomalies Documentation:  Understanding anomaly detection in ITSI Apply anomaly detection to a KPI in ITSI Anomaly detection algorithms Q2: What is adaptive thresholding and why is it important? A: In Splunk ITSI, adaptive thresholding is a feature that uses machine learning to dynamically adjust alert thresholds based on historical data patterns, rather than relying on static, unchanging values. This allows for more accurate anomaly detection in environments where data behavior fluctuates over time. By analyzing trends and normal variations, adaptive thresholds reduce false positives and missed alerts, ensuring that operational teams are notified of genuine issues even as the baseline behavior changes. Reduced false positives Improved anomaly detection  More accurate alerting Time-saving Documentation:  Create Adaptive Thresholds in ITSI Knowing proper adaptive threshold configurations Maintaining adaptive thresholds Q3: How do I configure and enable the Notable Event Aggregation Policy? (NEAP) A: What is a NEAP?  Notable event aggregation policy is the fundamental unit of event grouping in ITSI. NEAPs are the data structure the Rules Engine uses to group notable events into deduplicated episodes and organize them in Episode Review.  These episodes have their own title, description, severity, status, and assignee that are separate from the individual notable events within the episode. Aggregation policies are also the container for action rules that automate episode actions, such as sending an email or pinging a host. How to configure & enable NEAPs? Configuration > Event Management > Notable Event Aggregation Policies > Create NEAP Ships with default NEAP -> default policy only receives notable events matching no other aggregation policy's filtering criteria Content Pack for Monitoring & Alerting  Documentation:  Aggregation policies in the Content Pack for ITSI Monitoring and Alerting Best practices for implementing Event Analytics in ITSI Q4: What are some tips to reduce alert noise? A:  Optimize alert grouping with Event Aggregation Improve Alert Hygiene (get your thresholds right) Enrich Entity metadata Ensure your KPIs are relevant and meaningful Leverage the Content Pack for Monitoring and Alerting contains tools to analyze your episodes and alerts Documentation: https://www.splunk.com/en_us/solutions/alert-noise-reduction.html https://lantern.splunk.com/Observability/UCE/Guided_Insights/Reduce_Noise https://docs.splunk.com/Documentation/CPITSIMonitorAlert/2.3.0/CP/About Q5: Can we learn more about ITSI integrations with Teams and Slack? A: Splunk ITSI’s Teams and Slack integrations are Splunk-supported & maintained, available on the Splunkbase website. The integrations (content packs) do way more than help notify teams:  They streamline automatic alerting for correlated events and service health notifications They support actions and workflows within Teams and Slack, like posting messages, getting info about users, or even starting a SlackBot and making health checks In Teams, configure potential actions that allow for 3rd-party interactions between Splunk or a 3rd-party app from Teams Documentation: Gain quick access w/ the Splunk App for Content Packs  Splunkbase apps for Slack, and Teams (Check here for troubleshooting Teams) ... View more

Hello! Here are the recap materials from the session: On-Demand recording Slide Deck Here are the questions that we received in the session (more detailed solutions and info can be found in the slide deck) Q1: What is the best strategy to reduce ingestion costs? is there a way to show how much is being reduced?  A:  Archive all Unused Metrics Figure out lowly used metrics Sign up for Automated Archiving to Automate Documentation: Pipeline Management  Usage Analytics Data Management More Usage Story(Blog) Archived Metrics(Blog) Logs Metricization  The New Rules of Data Management (E-Book) Building a self service observability practice (Tech Talk) Q2: What are the best recommendations relating to data retention in Splunk, or even cold restore? A:  Metrics 1 Second Resolution: 3 Months 10 Seconds or more: 13 Months APM Raw Traces: 8 Days Traces of interest viewed in the Splunk APM user interface: up to 13 Months Profiling Data: 8 Days RUM Spans: 8 Days Session Replay: 8 Days Synthetics Run Results: 8 Days Metric Data: 13 Months Logs Varies by industry, regulations, source, and organization policies. See the Splunk Lantern article for more details and recommendations. Other Troubleshooting MetricSets: 8 days Monitoring MetricSets: 13 Months Documentation: Data Retention in Splunk Observability Cloud Configure Extended Trace Retention Setting data retention rules in Splunk Cloud Platform Learn about MetricSets in APM Q3: How would I manage log ingestion made by fluent like we do with Splunk Universal Forwarder and props? A: The Fluent Forward receiver allows the Splunk Distribution of the OpenTelemetry Collector to collect events using the bundled Fluentd application. The receiver accepts data formatted as Fluent Forward events through a TCP connection. All three Fluent event types, message, forward, and packed forward, are supported, including compressed packed forward.  However, this integration will be deprecated in October of 2025 as we have shifted to native OpenTelemetry log collection. Our best practice recommendation is as follows: Kubernetes: OpenTelemetry native log collection Stand-alone Linux/Windows hosts: Universal Forwarder log collection When used with Splunk Log Observer Connect, you can take advantage of effectively all Splunk Observability Cloud logging functionality, including Related Content. Documentation: Fluent Forward Receiver Splunk Distribution of the OpenTelemetry Collector Log Observer Connect Related Content ... View more

Hello! Here are the recap materials from the session: - On-Demand Recording - Slide Deck And here are the questions we received (there are supplemental slides for each of these solutions in the deck) Q1: What are some unique advantages of Splunk IM? Real time, OTel Native, AI-Assisted, End-to-End Correlation, all at Enterprise Scale (see additional slides in deck) Documentation: https://www.splunk.com/en_us/products/infrastructure-monitoring-features.html Q2: What is related content? A: The Related Content panel in Splunk Observability Cloud automatically correlates and presents data between different views within Splunk Observability Cloud (see add'l slides in deck) Documentation: https://help.splunk.com/en/splunk-observability-cloud/data-tools/related-content Q3: How can I send metrics to Splunk IM? A: With OpenTelemetry Collector, Cloud APIs, REST APIs (see add'l slides in deck) Documentation: https://help.splunk.com/en/splunk-observability-cloud/monitor-infrastructure/set-up-infrastructure-monitoring Q4: How to manage log ingestion made by fluent, like we do with Splunk universal forwarder and props?  A: You can deploy an Otel Collector with a fluentforward receiver and export to Splunk HEC endpoint Documentation: https://github.com/signalfx/splunk-otel-collector/blob/main/cmd/otelcol/config/collector/agent_config.yaml https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/fluentforwardreceiver https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/splunkhecexporter Q5: Is IM only for Kubernetes? What if I want to monitor servers and apps hosted in AWS via IM? A: With Splunk IM you can get metrics from hosts and containers on-prem or in the cloud (AWS, Azure, GCP) and services running on them like K8s, message brokers, web servers, DBs etc You can send infrastructure metrics to Splunk IM:  With OpenTelemetry Collector (deployed in EC2 instances) By calling Cloud APIs to get metrics from AWS (CloudWatch metrics) By using REST API calls to send custom metrics Documentation https://help.splunk.com/en/splunk-observability-cloud/manage-data/available-data-sources/supported-integrations-in-splunk-observability-cloud#nav-Supported-integrations ... View more

Thank you to all who attended this event! For those who weren't able to attend, here are the recap materials: - Q&A Slide Deck - Live Recording Please reply here if you have any questions! ... View more

Here are some of the questions covered in the session: Q1: How do you get logs from a Kubernetes Cluster? Solution:  Set Log Collection in the wizard:     See documentation - covers cases like host logs, multi-line logs, using pod annotations, sending events, etc. There are also many more tips about this topic from slides 8-14 in this deck Documentation: https://docs.splunk.com/observability/en/gdi/opentelemetry/collector-kubernetes/kubernetes-config-logs.html Q2: How can I optimize troubleshooting for K8s alerts? Solution:  Utilize the Navigator links embedded in alerts  Autodetector alerts Utilize built-in metrics and dashboards Identify problematic nodes, pods, and containers using the hierarchy map in the Kubernetes Navigator Deploy the Splunk Distribution of the Otel Collector to your cluster for correlation of metrics, traces and logs (related content) Enrich telemetry data with custom metrics or adding relevant metadata to enhance troubleshooting  Documentation: https://docs.splunk.com/observability/en/infrastructure/monitor/k8s-nav.html https://docs.splunk.com/observability/en/gdi/get-data-in/compute/k8s.html#get-started-k8s https://docs.splunk.com/observability/en/gdi/opentelemetry/collector-how-to.html#collector-how-to  https://docs.splunk.com/observability/en/metrics-and-metadata/relatedcontent.html Q3: One of my containers produces events as json. Any pointers on how to teach the OTel Collector to read it in as json, I am getting multiple events strung together as one. Ideally is this something that I can achieve in the Splunk Otel helm chart? Solution:  See details below on processing multi-line logs; this is likely why you are getting a multi-line json showing up as individual log lines Documentation: https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/advanced-configuration.md#processing-multi-line-logs  Installing with YAML manifests ... View more

Here were some questions from the session: Q1: Can you share some best practices for Synthetic Testing for app performance? Solution Simplify as much as possible, and validate as you go Use global variables to scale and protect sensitive information Organize your tests with naming conventions and tags Understand your baseline, then alert on KPIs View results in context with the rest of your application health Documentation: https://docs.splunk.com/observability/en/synthetics/test-config/rum-synth.html  https://docs.splunk.com/observability/en/synthetics/browser-test/browser-test-metrics.html#performance-timings  Blog: https://community.splunk.com/t5/Community-Blog/Mastering-Synthetic-Browser-Testing-Pro-Tips-to-Keep-Your-Web/ba-p/698356   Q2: What metrics do synthetic tests generate? I'd like to create a custom dashboard based off synthetics. Solution:  Solution Different metrics are generated for Browser, Uptime, and API tests. Transactions within Browser tests also generate a few metrics, so you can monitor and alert on unexpected changes across multiple steps or pages within a test. Documentation: Browser test metrics Uptime test metrics API test metrics Q3: What capabilities in O11y Cloud help me understand the actual experience of the users of my website? Solution Real User Monitoring (RUM) focuses on how your end users experience your web or mobile application RUM provides visibility into errors and performance, and ties them to backend traces Support for browser and native Android & iOS apps Flexible instrumentation built on open source/open standards Documentation: Intro to RUM RUM scenario library *You can find the slide deck with all of the Q&A and the session recording on our #office-hours user Slack Channel. ... View more

Hello, Apologies for this and thanks so much for bringing it to our attention! We recently migrated these to different webpages, hence the broken links. I have provided the updated resources below. Let me know if you need anything else! Security Onboarding Toolkit Security Learning Tracks Observability Onboarding Toolkit Observability Learning Tracks Platform Onboarding Toolkit Platform Learning Tracks ... View more

Here are a few questions from the session, each of which had a live solution (get the full Q&A deck and live recording in the #office-hours Slack channel) 1) Can you cover log filtering details before logs ingested to Splunk as part of optimizing cost? There are multiple approaches to filter logs which can be chosen based on the preferred granularity: Using pod or namespace annotations Include/exclude logs using resource attributes or OTTL conditions with filter processor Documentation: Filter logs using pod or namespace annotations OpenTelemetry Transformation Language (OTTL) Example using Filter processor 2) Please tell me how to collect metric indicators of Docker containers after installing them as daemon sets in an ECS-EC2 environment using Splunk Otel. Deploy the Splunk distribution of the OpenTelemetry Collector as a Daemon set Current support for querying ecs task and metadata endpoints Moving soon to native OTel implementation with ECS receiver Follow guided steps with UI wizard and get value with OOTB content Documentation: Deployment steps ECS container metrics receiver 3) How can I customize Kubernetes navigators and/or dashboards? Dashboards: Built-in dashboard content is read-only. You must “⋯”(meatball menu icon) -> “Save as…” (after that it is drag/drop/edit like any custom dashboard) Navigators: Create a copy of the dashboard (“Save as…” either from Navigator View or Dashboard) Modify the copy as you wish Can add or replace in Navigator dashboard tabs with “⁝”(kebab menu icon) -> “Manage navigator dashboards”) Add your custom dashboard, drag to reorder (optional) Hide the built-in dashboard Documentation: https://docs.splunk.com/observability/en/infrastructure/manage-navigator-dashbds.html  ... View more