Here are a few more resources you might find helpful:   Voice of the Customer: Observability for AI    Documentation: Introduction to Splunk Observability for AI    On - Demand Webinar: Agentic, AI-powered Observability: Simplifying Operations & Faster Resolution    Blogs:   A Recap of .conf25 Splunk Observability Announcements  Monitor the Health, Performance, and Security of Your AI Application Stack with AI Agent and AI Infrastructure Monitoring    Talk to us if you have any questions: Talk to an expert ... View more

Here are a few more resources you might find helpful: Splunk Docs Admin Guide Install Guide User Guide Troubleshooting Guide Guided Lantern : Installing and Upgrading to Splunk Enterprise 8x YouTube: Splunk Enterprise Security 8.0 Workflows Guided Tour: Splunk Enterprise Security Self-paced e-Learning ES 8 Updates for the Splunk SOC SOC Essentials: Introduction to Threat Hunting PDF Presentation: Splunk Enterprise Security 8.x Presentation Talk to us if you have any questions: Talk to an expert ... View more

What's next? Watch the Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot faster, and More Tech Talks How to try Secure Application: AppDynamics: Talk to your Splunk account team to Start a free trial​​ Observability Cloud: Sign-up for the preview here   ... View more

Here are a few top of mind questions from the live Tech Talk   Q. If I have ES and SOAR, what version of ES and SOAR do I need to take advantage of the unified TDIR workflows across the two products? A.  ES 8.x SOAR 6.3 and above Q. Can you clarify, if I have ES and SOAR, do I need the ES Premier license for unified TDIR workflows? A. No, but you will need to pair ES and SOAR and you can do that only for the combinations below: ES Cloud & SOAR Cloud ES CMP & SOAR CMP Standalone ES Cloud & SOAR CMP Standalone (hybrid) Those unified workflows however would not have things like Asset Risk Scoring or UEBA. Q. What additional value would I actually get with ES Premier if I already have ES and SOAR today? A. ES Premier product is Splunk’s most powerful and and seamless AI-powered SecOps platform. By bringing together the next-generation of our SIEM, SOAR, and UEBA together in one seamless experience…we arm every analyst with full visibility, industry-leading tooling, and built-in automation for everyone in the SOC…to quickly identify and stop evolving threats. ... View more

Here are a few top of mind questions from the live Tech Talk   Q. Can the Splunk OpenTelemetry collector run without any initContainter (like rhel/ubi image) to patch the application log directories/files (for the file permissions) without a root privilege? A. Yes, the Splunk OpenTelemetry Collector can run without an initContainer and without root privileges to handle log file permissions. This is achieved by configuring Kubernetes security Context (e.g., fsGroup) for shared volumes or by ensuring the application writes logs with appropriate permissions that allow the non-root collect or user to read them. The Collector is designed to run as a non-root user for most use cases. Q. What is Agentic AI Use cases can be achieved by O11y Cloud and What are agentic AI capabilities are present in O11y Cloud? A. Splunk and Cisco are seeing the need for the observability world evolve to not just observability but agentic observability...and when we think about agentic observability, there are 3 components:  Using AI to work smarter and faster  ITSI EventIQ (correlate alerts with AI to cut noise) is GA now  at .conf we also announced more agentic features that will be Alpha by end of the year: (AI Troubleshooting in O11y Cloud and AppDynamics and ITSI AI-directed episode summarization which is alpha today)  Observe AI agents and infrastructure  AI Agent monitoring in observability cloud  AI Infrastructure monitoring (GA)  AI Agent monitoring with AppDynamics (GA)  Unify observability and show business impact  Digital Experience Analytics in Observability cloud to gain visibility into user behavior and usage  APM Support for hybrid apps and business transactions- to monitor business transactions with precision  Database monitoring- to accelerate query troubleshooting with deep insights  All these are scratching the surface of what our teams are doing to meet the agentic moment.  Q. What's the key difference between 'Splunk observability cloud" vs " Splunk AppDynamics"? A. Splunk Observability Cloud is designed for modern, cloud-native, and microservices environments, offering a unified platform for metrics, traces, and logs with real-time, OpenTelemetry-native data. Splunk AppDynamics excels in deep Application Performance Monitoring (APM) for traditional, monolithic, and hybrid enterprise applications, providing extensive code-level and business transaction visibility.  Let's quickly go over our Observability Portfolio and how it all comes together:  The foundation of this portfolio is the Splunk Platform, which includes Splunk Enterprise and Splunk Cloud and provides an underlying layer for logs analytics, data management, and identity.   At the application, infrastructure, and user experience layer, we have AppDynamics, which is optimized for 3 tier and n-tier applications and self-managed environments. Observability Cloud on the other hand is optimized for cloud native environments and caters to customers that have a strict requirement for OpenTelemetry.   ITSI ties these components together with an overall intelligence layer targeted at IT Ops teams. It brings business service monitoring and event analytics, coupled with powerful AI/ML capabilities.  Q. Is it mandatory to send metrics and traces collected by OpenTelemetry collector to Splunk Observability Cloud while logs go to Splunk Cloud? Is there flexibility in routing all telemetry types to a single destination? Are there any technical limitations and how can Log Observer be utilized for troubleshooting? A. No, the OpenTelemetry Collector offers flexible routing; you can send all telemetry (metrics, traces, logs) to a single destination like Splunk Observability Cloud. If logs go to Splunk Cloud, Log Observer Connect unifies them in Observability Cloud. Log Observer aids troubleshooting by providing contextual log analysis integrated with metrics and traces. Q. For an organization just starting their journey with Kubernetes monitoring, what would be the absolute first practical step you recommend they take, and how quickly can they expect to see value from implementing a solution like Splunk IM? A. The first step we recommend organizations take is to choose relevant metrics. Not all data is equally useful. Focus specifically on system and application metrics because they directly impact your system's health and performance. System metrics like CPU and memory utilization, disk I/O, and network traffic provide a baseline view of cluster health. Application-specific metrics, such as node, pod, container availability, and resource usage, provide insights into performance. So, align these metrics with your business objectives and define collection rates and retention periods for efficient data management. Have all the necessary Splunk products and capabilities in place like Splunk cloud and log observer connect is important as well. These dependencies allow you to bring K8s events and logs right into K8s navigators. That way, once you install the Collector for Kubernetes, you can begin to monitor Kubernetes using navigators. You can find a list of best practices in this blog and instructions on how to install the collector for Kubernetes in our documentation. Q. Beyond the technical capabilities, what's one piece of advice you'd give to teams looking to foster a more 'observability-driven' culture within their organization when dealing with Kubernetes and cloud infrastructure? A. Start by making observability a shared responsibility — not just a toolset owned by one team. The biggest pitfall I see is partial buy-in: when even one team isn’t contributing to telemetry, you create data blind spots that break the full picture. The best organizations treat data as a shared language that connects Dev, Sec, and Ops around a common view of service health and customer experience. Encourage teams to collaborate early, automate wherever possible, and treat every incident or deployment as a learning opportunity. That’s when observability shifts from something you monitor to something you practice. Q. You highlighted the importance of 'Observability Unlocked.' Could you elaborate on one common misconception organization that have about observability in a Kubernetes and cloud environment, and how Splunk IM specifically helps to correct that? A. One common misconception organizations have about observability in Kubernetes and cloud environments is that simply collecting large volumes of metrics, logs, and traces independently is sufficient to understand and resolve issues. Many believe that more data alone guarantees better visibility and faster problem resolution. However, a singular strategy of more data to gain better visibility can result in redundant or irrelevant data and can still lead to fragmented visibility. You need a data management strategy that collects the most useful data across all your different tech stacks, teams, and services. Splunk IM provides unified visibility across any environment and stack, combining key metrics, logs, and traces into a single, correlated observability experience. You can learn more about challenges, best practices, and key metrics and tools in this blog. Q. Can you share a specific, perhaps challenging, use case where Splunk IM's capabilities significantly reduced MTTR (Mean Time To Resolution) or helped a team correlate their SLOs to business impact? A. Here are 2 specific IM customer stories on the website about Bosch Rexroth and a healthcare software company. Bosch Rexroth was able to tackle lever pricing and having infrastructure monitoring across both IT and OT environments. This means the factory could avoid surcharges for exceeding peak energy consumption levels. With Splunk, the team at Bosch Rexroth AG set up an alert — based on an AI/ML energy consumption forecasting model — to warn operators when the factory reaches the 90% mark for energy consumption. This prevents the factory from exceeding the maximum and paying energy price surcharges. Yes, there have been multiple incidents, but if I had to pick one, it would be during .conf25. Our application was stable, and we anticipated a modest 20% increase in traffic. However, the actual surge was a staggering 100%, overwhelming our infrastructure. This unexpected spike led to significant CPU and memory utilization, threatening our service-level objectives (SLOs). Fortunately, our Splunk Infrastructure Monitoring (IM) detector promptly alerted us to the anomaly. This early warning enabled us to swiftly add more nodes to the cluster, restoring balance. By leveraging Splunk IM's real-time alerts, we maintained our SLOs and ensured uninterrupted service during the critical event.   ... View more

What's next? Watch the Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud, and More Tech Talks Here are a few more resources you might find helpful: Free Trial: Splunk observability Guided Tour: Splunk Infrastructure Monitoring Guided Product Tour Documentation: Introduction to Splunk Infrastructure Monitoring Splunk Observability Cloud free trial and guided onboarding Splunk Distribution of the OpenTelemetry Collector Splunk Infrastructure Monitoring Guided Product Tour Supported integrations in Splunk Observability Cloud Certification: Splunk Observability Cloud Certified Metrics User Blogs: Kubernetes Monitoring: The Ultimate Guide How To Monitor Kubernetes with Splunk Infrastructure Monitoring Inside Kubernetes: A Practical Guide to K8s Architecture and Operational Challenges Kubernetes Metrics for Troubleshooting: The Practitioner’s Guide To Diagnosing & Resolving K8s Issues Training Courses: Introduction to Splunk Observability Cloud Introduction to Splunk Infrastructure Monitoring Fundamentals of Metrics Monitoring in Splunk Observability Cloud K8s Monitoring with Splunk Observability Cloud Getting K8s Data into Splunk Observability Cloud Talk to us if you have any questions: Talk to an expert ... View more

What's next? Watch the Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot faster, and More Tech Talks Here are a few more resources you might find helpful: Documentation:  ThousandEyes integration with Splunk APM ThousandEyes integration with Splunk RUM Splunk Observability Cloud:  Splunk Application Performance Monitoring (APM) - Learn More Splunk Real User Monitoring (RUM) - Learn More How to get started:    ... View more

Here are a few top of mind questions from the live Tech Talk   Q. What is required to participate in the preview for Observability Cloud? A.  You must have Splunk Observability Cloud deployed in their environment Running a Java-based application The customer must be US-based and running the application on AWS (us0 or US1 realms) Q. How is Secure Application different from Splunk Enterprise Security? A. Splunk Enterprise Security is a broad SIEM platform focused on enterprise-wide security and detections. Secure Application is specifically designed for application-level, runtime security and is not part of Splunk Enterprise Security. It complements the Splunk security portfolio by focusing on the needs of application teams, especially those responsible for application development and operations. Q. Is Secure Application included free? A. No, Secure Application is an add-on capability for both AppDynamics and Observability Cloud offered as a paid add-on for Splunk Observability Cloud APM (both standard and enterprise editions). Pricing will be competitive and value-based, using a per-host metric aligned with existing observability products. Available for both SaaS and on-prem environments, matching current AppDynamics secure app licensing models. Q. Is  it part of Splunk Base? A. No, Secure Application is not included at this time, but may be added in the future. Q. Will Secure Application alerts be mapped to the Splunk Common Information Model (CIM)? A. Yes, mapping to CIM is planned as part of the roadmap to support deeper integration with Splunk Enterprise Security at GA.   ... View more

Here are a few top of mind questions from the live Tech Talk   Q. Do I need to own other Splunk products in order to use Splunk Attack Analyzer? A. No, Splunk Attack Analyzer can be used on its own; you do not need to own any other Splunk products in order to use it. Q. How can I get a demo of Splunk Attack Analyzer? A. You can reach out to your account rep to set up a demo, or if you’re attending .conf25 in September, we’ll also have folks doing product demos in the Pavillion. Q. Do you have any case studies about how customers use Splunk Attack Analyzer alongside other Splunk products? A. Yes! One example is a case study featuring Johnson Matthey, which describes their use of Splunk Attack Analyzer alongside Splunk Enterprise Security and Splunk SOAR: https://www.splunk.com/en_us/customers/success-stories/johnson-matthey.html   ... View more

Here are a few top of mind questions from the live Tech Talk   Q. What approach would you take to entice a client who is still resistant to switching to a risk framework? A. The approach would highlight how risk-based alerting saves analysts' time by grouping different basic alerts into risk-based findings, allowing them to focus on critical alerts and deep-dive into more important investigations instead of reviewing hundreds of basic alerts daily. Q. Can the AI assistant be leveraged to lower false positives, and if so, how? A. Yes, the AI assistant can help identify different types of false positives by analyzing trends within alerts generated by detections, with the right prompts. Q. For intelligence, does Splunk use Cisco Talos? A. Yes, whenever a client gets a Splunk Enterprise Security license, they receive Cisco Talos integration for free, allowing them to use enrichment information from Cisco within Splunk Enterprise Security. Q. Can Splunk use most threat intelligence feeds? A. Yes, even though Cisco Talos integration is included for free, Splunk can integrate with many other threat intelligence feeds, such as Virus-Total and IBM X-Force Exchange. Q. Is Cisco Talos the only intelligence platform they use or are there others too, like Crowd-strike intelligence? A. No, while Cisco Talos integration is included out-of-the-box and for free with a Splunk Enterprise Security license, Splunk can integrate with many other security intelligence feeds. Examples include Virus-Total and IBM X-Force Intel. Q. What are some of the primary connectors in SOAR that are most impressive for a SOC to use? A. The most impressive connectors in SOAR depend on the specific use case and organizational needs. However, key examples highlighted include the Cisco Talos connector for automatic enrichment of investigations and findings, Virus-Total for threat intelligence, and connectors for ticketing systems like ServiceNow or Jira, which can automate tasks such as opening new tickets for investigations. Q. Does EDR (Endpoint Detection and Response) telemetry ingestion in Splunk provide benefits, considering it can consume a lot of ingestion volume? A. Yes, EDR telemetry is highly beneficial for creating meaningful detections. While it can consume a significant amount of ingestion, data models can help manage this volume. Q. Is the AI assistant a free add on? A. Yes, the AI assistant is a free add-on. Q. How does Splunk handle Protected Health Information (PHI) when using the AI assistant? A. Any data within the Splunk environment, including PHI, stays within Splunk, and interactions with the AI assistant are private to the user. Q. Is it possible to pull KPI metrics on the Splunk platform? A. Yes, Splunk comes with over 100 dashboards out-of-the-box that can be used or customized to track KPIs. These dashboards provide views on security posture, findings over time, urgency, and executive summaries, including metrics like mean time to triage and mean time to resolution. Q. Does this prioritize the response list based on the type of incident, to help guide the analyst towards what response is most appropriate? A. Yes, Splunk uses "response plans" which are designed to guide analysts on what to do for specific alerts coming from particular detections. This means that analysts will not treat every detection or alert the same way, as the response plans help tailor the actions to the incident type. Q. Here you have some of the links shared on the presentation: A. The SecOps Handbook to TDIR Automate complete TDIR life cycle Innovations in Splunk Security Expands Unified TDIR Experience to On-Premises and FedRamp Moderate Environments The TDIR Lifecycle: Threat Detection, Investigation, Response ... View more

Here are a few top of mind questions from the live Tech Talk   Q. Is Ingest Monitoring only for Cloud at this time? A. Yes, Splunk expands Data Management capabilities to include ingest monitoring: enabling native visibility across all data sources in Splunk Cloud Platform: Splunk Expands Data Management Capabilities To Include Ingest Monitoring. Q. Python 3.9 is EOL in October of this year. How fast will the move to newer versions be coming? A. Newer versions of Python are planned to release in the upcoming version of Splunk. Splunk has procured 3rd party support for Python 3.9 as the Platform, Apps, and TAs migrate to newer, mainstream supported versions. Q. The Dashboard was mentioned but not delved into, where can we find these new features? A. Here you can find the futures: Dashboard Studio: What's new in Splunk Enterprise 10.0 and 9.4 Dashboard Studio: Spec-TAB-ular updates Q. Is Splunk Health Assistant Add-on (SHAA) necessary for Cloud environments? Should we request that to be installed? A. The Splunk Health Assistant Add-on (SHAA) is for On-Prem only. This add-on allows for On-Prem users to update the latest Monitoring Console health checks out-of-band from a Splunk release. Cloud Customers automatically get the latest health checks with updates to the Cloud Monitoring Console. Q. Can you share the Splunk 10.0 documents? A. Here are the release notes: Splunk Enterprise Splunk Cloud Platform Q. What is the upgrade path if we are using Splunk Cloud and ES? A. ES will require upgrades to versions that are compatible with Splunk 10. Splunk will initiate those changes. The upgrade path will be dependent on the existing ES version. Q. When we install Splunk 10.0 is FIPS enabled by default? A. This will depend on the environment. For Fed ramp Cloud, FIPS 140-2 will be enabled by default. For commercial cloud and CMP FIPS will not be enabled by default. FIPS mode must be configured if required for your organization's compliance needs, as per it's not enable by default. Q. Does Agent Management includes upgrading UFs remotely on both Windows and Linux? A. Yes, Agent Management in Splunk 10 enables you to manage and upgrade Universal Forwarders remotely on both Windows and Linux platforms. We did launch initially with support only for Linux, but remote upgrade for Windows is now available with Splunk 10. Splunk remote upgrader  Q. Is there a minimum version required to upgrade to Splunk 10.0? A. Yes, you must be on a supported recent version (likely Splunk 9.x, such as 9.0, 9.3, or 9.4) to upgrade directly to Splunk 10.0. If you are on an older version, you should plan to upgrade in stages according to Splunk’s official upgrade path and documentation. Here is the documentation where you can find the minimum versions to upgrade to Splunk 10, which can be found here: Upgrade information for version 10.0. Q. Does Edge processor need separate license or extra cost and is there any limit how much data is passed thru edge? A. Edge Processor comes with no additional cost to Splunk Enterprise 10.0, there is no license needed, as well, there is no limit on processed data for Edge Processor for Splunk Enterprise or Splunk Cloud. Q. Will Splunk Cloud customers get a chance to defer the 10.x upgrade in case this breaks any apps they're using? A. Splunk will work with customers on App compatibility prior to upgrading the stack to Splunk 10, the customers will receive advance notice (14 days) before their platform is upgraded to 10.0. Customers are encouraged to work closely with Splunk support and their app vendors to ensure readiness before the upgrade date. Q. Are these O11y integration views sourcing all their data from Observability cloud, even when adding those new panel types to dashboard studio for things like service map? A. Observability integration views in Splunk 10 can source data from Splunk Observability Cloud—especially for metrics and service maps—but are not strictly limited to that source. Dashboard Studio panels may visualize both O11y Cloud data and native Splunk metrics, depending on configuration and integration. Splunk expands Data Management capabilities to include ingest monitoring: enabling native visibility across all data sources in Splunk Cloud Platform: Splunk Expands Data Management Capabilities To Include Ingest Monitoring. Q. Do we have a document that explains what makes an app Splunk 10 compatible? A. Here is the dependency changes in Splunk 10 can be found here: Preparing to upgrade from 9.x to Splunk Enterprise and Cloud Platform 10.0. Q. Can you share what 3rd party apps you are communicating with major vendors like Akamai, security apps? A. Splunk Our developer relations team is engaged with pursuing compatibility for all 3rd party Apps / TA's. Though, we don't have specific details on which developers are being communicated with. Splunk 10 App compatibility can be checked at any time through Splunk base for specifics check:  Preparing to upgrade from 9.x to Splunk Enterprise and Cloud Platform 10.0. Q. For On Prem versions, what is available for health check? A. For on-premises Splunk versions, the Splunk Health Assistant Add-on (SHA) is available for health checks, especially for upgrade readiness to Splunk 10. It runs within the Monitoring Console, provides detailed, actionable checks, and is regularly updated to cover new requirements. Q. Any public plans to move to TLS 1.3? Or is the TLS 1.2 only setting the minimum, while actively allowing TLS 1.3? A. TLS 1.3 support is in the product roadmap. Q. Is Simple XML for dashboarding going away soon? A. There are no plans to deprecate this feature. Q. Does Splunk 10 support TLS 1.3? A. Splunk 10.0 does not support TLS 1.3 at this time. Q. With the breaking changes potential, is there a reversion opportunity in the cloud? A. As of today, rollbacks are not possible in the cloud. ... View more

Here are a few top of mind questions from the live Tech Talk   Q. There are several integrations with Cisco products, can you please let us know if the same value would be given from topology metrics and events from other vendors like SolarWinds, OpenText Dynatrace, etc...? A. Yes, Splunk ITSI is designed as a cross-domain visibility tool and supports integration with a wide range of third-party vendors and tools, not just Cisco products. The platform can ingest, correlate, and analyze topology, metrics, and event data from other major vendors such as SolarWinds, OpenText, Dynatrace, BMC, and more. Q. How does observability licensing work? A. The Splunk Observability platform is licensed based on host, ingestion, and/or workload - and each observability capability has licensing specifics to each product: https://www.splunk.com/en_us/products/pricing/observability.html  FAQ: https://www.splunk.com/en_us/products/pricing/faqs/observability.html  Q. How does this relate to your OLI Cloud Solution? A. ITSI is related to our Observability Cloud Solution in that ITSI is a premium application that sits on top of Splunk Observability Cloud or Splunk Enterprise. Q. Can ITSI pull in data from other vendor products e.g. Aruba? A. Yes, Splunk ITSI can ingest and correlate data from a wide variety of third-party vendor products, including Aruba and many others. As long as the data (such as logs, metrics, events, or flow data) can be sent to or collected by Splunk, ITSI can use it for analytics, alerting, and service correlation. Q. Is there a way to see flow data for individual devices in ITSI? A. Yes, Splunk ITSI can display flow data and other metrics for individual devices, provided that the necessary data is ingested into Splunk from your network tools. Through integrations and technical add-ons with products like Cisco ThousandEyes, Catalyst Center, and Meraki, as well as third-party solutions, you can bring in device-level flow data (such as NetFlow, sFlow, or similar telemetry). Q. Here is a quick guided tour showcasing glass tables and service monitoring: A. Splunk IT Service Intelligence Guided Product Tour. Q. How does ITSI sit on top of the Splunk Observability Cloud, I thought it sat on top of the Splunk Core? A. ITSI sits on top of the Splunk Core product, there are integrations available between Splunk Observability Cloud and ITSI. The two can complement each other in a hybrid environment, but they are architecturally distinct. Q. Would this be a layer on top or integrated with AWS or Azure services? A. Splunk ITSI and the observability solutions can be deployed either on-premises or in the cloud, including on AWS or Azure. They act as both a layer on top of your cloud services and can be directly integrated with AWS, Azure, and other cloud platforms. Q. Will AI/ML capabilities be expanded to automate correlation and anomaly detection in ITSI? A. There are capabilities to help with correlation powered by AI/ML namely Event IQ. ITSI leverages anomaly detection to model KPI behavior and generates alerts when these KPI's deviate from an expected pattern. Cisco and Splunk Strengthen Enterprise Digital Resilience in the AI Era   Q. If there is a network service and service tree/dependency with location in ServiceNow, is it possible to import the topology to ITSI and keep it updated from there, or is there a smarter way? A. Yes, it is possible to import service topologies (including dependencies and locations) from ServiceNow into Splunk ITSI. Splunk provides a ServiceNow technical add-on that supports this integration. This add-on can pull in data such as service trees, dependencies, and location details from ServiceNow’s CMDB or ITOM modules and bring them into ITSI for use in service monitoring and correlation. Additionally, ITSI supports ongoing synchronization, so updates made to service topologies in ServiceNow can be reflected in ITSI, keeping your monitoring environment up to date. The process is designed to reduce manual configuration and streamline service modeling within ITSI. Q. Does service topology need to be created manually or dynamically? A. Service topology in Splunk ITSI can be created both manually and dynamically, but the platform is designed to make dynamic (automated) creation as easy as possible. Q. Can you share a Demo and POC for customers who are interested in Splunk? A. Here is the link to request a demo Splunk IT Service Intelligence (ITSI)  Q. Is Catalyst Center the same as Cisco DNAC? A. Yes, Cisco Catalyst Center is the new name for what was previously known as Cisco DNA Center (DNAC). Cisco rebranded DNA Center to Catalyst Center, but it is essentially the same platform for network management, automation, and analytics. Q. Does this also track alerts in ThousandEyes, and sync respectively? A. Yes, Splunk ITSI can track alerts from ThousandEyes. The integration pulls in alerts, metrics, and test results from ThousandEyes into ITSI, allowing those alerts to be correlated with other events and displayed in dashboards and incident views within ITSI. ... View more

Here are a few top of mind questions from the live Tech Talk   Q. Is this only available for Splunk Cloud, or is it available for a Splunk Enterprise deployment, and if so, is there a minimum version level , for example: 9.4.x ? A. As long as you are on a version in which you can install a Splunk base application, it will work. Q. Is the AI assistant available for Splunk On Prem as well? A. Yes, with the v1.3.0 release Splunk Enterprise customers can use AI Assistant. Q. How to navigate to NLP section Splunk SaaS? A. The question how to access the AI Assistant in Splunk Cloud, you can install the AI Assistant for SPL application on your deployment and access it through the application. At .conf the assistant will be available inside the Search & Reporting app for even easier access. Q. A security concern would be that other's are know the naming convention of my environment and that information is protected because essentially that is enumeration. How is that protected and how is that specifically unavailable to others? A. All the personalization metadata (including the naming convention of the environment) is only used for inferencing. In other words, the only place where this data is used to improve the response quality for users of your deployment. None of this data is fed back into the model in any way. Q. These AI assistant capabilities be available through APIs? A. Yes,  not only as APIs, but they will also be available in the MCP server, very shortly. So yeah, stay tuned for that update. Q. Can MCP be used for the on Prem installation?  A. It is available for Splunk Cloud customers today, support for Enterprise customers is coming very shortly. Q. Are the user prompts available in the internal logs? A. If you are talking about the chat history in the AI Assistant, they are currently not present in internal logs but I expect it to be there in the next release. Q. What safeguards are in place to prevent exposing our proprietary data? A. Splunk's AI Assistant for SPL employs several safeguards to protect proprietary data: it processes all inferences within Splunk Cloud services, meaning your actual data never leaves Splunk's "four walls" or goes to third-party AI providers. For personalization, it only collects metadata (like index names, field names, and search queries) about the shape of your data, not the sensitive content itself, and this metadata sharing is an opt-in feature with configurable controls. Additionally, the system honors existing Role-Based Access Control (RBAC) and includes guardrail checks to prevent prompt injection and ensure secure interactions. Q. Here is a good lantern article for the use-cases for AI Assistant for SPL: A. Implementing key use cases for the Splunk AI Assistant for SPL. Q. Are there currently no plans to charge for MCP like SAIA? A. No plans to charge at the moment or in the near future. Q. Do the Splunk Admins, have the ability to add to the prompt engineering rules? A. Not at the moment but there are a couple approaches to it, those examples are in the recording. Q. Is it available for Splunk Cloud on GCP? A. Not at the moment, it is coming to Azure regions around conf timeframe and GCP will be next. ... View more