Frequently Asked Questions

What is >rapid response for splunk®?

rapid response
is a splunk plug-in app that allows users to easily compose powerful custom alert actions in minutes – without scripting or coding.  It seamlessly extends splunk’s native alert mechanism, allowing you to orchestrate system-wide real time response strategies for your operations.

>rapid response turns Operational Intelligence into Real-Time Action

What will >rapid response do for me?

Splunk gives security, IT operations and application delivery teams powerful insights and valuable operational intelligence across your entire organization. Its powerful search, visualization and alerting capabilities enable them to understand current operations more effectively than ever before, and configure simple alert actions to respond to certain issues automatically.

But when difficult operations issues arise, splunk’s simple script and web-hook alert actions may not be enough.  And waiting for human-scale response times to incipient cyber activity or complex IT system failures means greater impact to operations.

With >rapid response, your operations teams can easily capture their deep expertise into powerful custom alert actions that execute within milliseconds.  >rapid response alert actions enable your operations teams to systematically orchestrate and track response actions at all layers of the stack across the entire enterprise in real-time, all the while maintaining secure positive control over all automated actions.

But where>rapid response really shines is in its ability to automate sophisticated  dynamic response strategies – strategies that dynamically interact with splunk’s powerful search and analysis capabilities to drill down on an issue, determine root cause, and orchestrate the most effective response actions for the situation.

>rapid response closes the loop around your operations

What can I do with >rapid response?

>rapid response for splunk®  allow you to easily compose sophisticated real-time system-wide response applications and run them automatically whenever splunk alerts occurs.  You compose a response app by ‘drawing’ its workflow using AppSymphony Web, and then assign that app to run as a splunk alert action.

What is AppSymphony Web?


AppSymphony Web is our rapid app composition platform that lets users ‘draw’ powerful information apps and run them in the cloud in minutes. AppSymphony provides the following core capabilities:

  • Pure browser-based drag-drop-connect UI to compose apps – no coding
  • Reusable apps saved/shared in repository
  • Orchestrate / choreograph diverse information resources at all layers of the stack

Click here for the AppSymphony Web FAQ

How does >rapid response work with splunk?

AppSymphony Web and splunk work together through the >rapid response plugin application.
The >rapid response app appears in the splunk app launcher panel, and >rapid response alert actions are available for selection in the alert editor.

How do I use >rapid response?

You compose response applications using AppSymphony’s intuitive graphical workflow tool, and then use the>rapid response splunk plug-in to seamlessly configure an alert action to launch that response app. When the app runs, it reports its activities back to Splunk so you can monitor response progress using >rapid response‘s tracking dashboards.

The following playlist of short videos show how it all works.

What's in a >rapid response alert action app?

rapid response apps conduct all response activities within the context of unique recovery cases so that you can track and control all response operations right from within splunk itself.    As a result, app workflows all follow the same pattern:

  1. open a unique response case
  2. report the results of each response action
  3. close the case when its done

We have captured this pattern in a template app (shown below) for you to reuse as often as you’d like. All you need to do is just drag/drop the response action component you need to get the job done, connect them into the template, and you’re ready to go.

Here is an example of a completed simple alert action workflow with the response actions filled in This app stops and restarts an AppSymphony Web instance.  AppSymphony is a web app hosted in an Apache Tomcat container. So this app simply stops and starts Tomcat.

This video shows how quickly and easily you can compose this simple response workflow.

What kinds of response actions are available?

Response actions are provided through AppSymphony Web components, which you compose into response apps by drawing workflows.  The power of >rapid response lies in the availability of components to take response actions at all layers of the information system stack.  Initial components focus on the IT Operations solution area.  The following table lists the major >rapid response component groups organized by splunk IT Service Intelligence Modules.

Subsequent >rapid response releases will include components for other solution areas such as application delivery, security and compliance, business analytics and internet-of-things.

Check out the >rapid response component gallery

AppSymphony also provides a wide range of lower-level general purpose information processing components that can be used to compose new response action components and apps.

Check out the AppSymphony component gallery

How does >rapid response handle security?

Many of the >rapid response components require specific privileges to perform their response actions. Security (identity, authority) are enforced on each component action depending on the how the objective resource is implemented and the layer(s) of the stack through which the actions are performed.  The following table summarizes this.

How do I get >rapid response?

>rapid response consists of two parts:

  • >rapid response app  – installs on the Splunk server
  • >rapid response service (AppSymphony) – installs on its own host

You can download the >rapid response app from Splunkbase.

>rapid response server is available through Carahsoft at  You can contact a>rapid response specialist directly at  1-(844)-37RAPID.

Installation instructions

Can I add >rapid response to my existing splunk installation?


How can I try >rapid response?

Contact Carahsoft at to request a try-before-buy trial. You can contact a>rapid response specialist directly at  1-(844)-37RAPID.  You must have a licensed Splunk Enterprise installation with connectivity to the Internet for the trial to work.

Can I get help planning and implementing >rapid response?

Yes, consulting services are available to do both.

Is >rapid response training available?

Yes, training is available as part of the >rapid response jump start package available through Carahsoft.

Where can I run >rapid response?

You can use >rapid response anywhere you use splunk now- on premises, on Amazon AWS and in the C2S cloud. Other cloud environments are available on request.