Copyright  ©  2013  Splunk  Inc.  

Planning  and  Execu>on  for  Successful  Deployments  Pete  Sicilia    Client  Architect  Manager    Chris  Olson  Sr.  Director,  Technical  Services  

#splunkconf  

Legal  No>ces  During  the  course  of  this  presenta>on,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cau>on  you  that  such  statements  reflect  our  current  expecta>ons  and  es>mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made  in  this  presenta>on  are  being  made  as  of  the  >me  and  date  of  its  live  presenta>on.    If  reviewed  aTer  its  live  presenta>on,  this  presenta>on  may  not  contain  current  or  accurate  informa>on.      We  do  not  assume  any  obliga>on  to  update  any  forward-­‐looking  statements  we  may  make.    In  addi>on,  any  informa>on  about  our  roadmap  outlines  our  general  product  direc>on  and  is  subject  to  change  at  any  >me  without  no>ce.    It  is  for  informa>onal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or  other  commitment.    Splunk  undertakes  no  obliga>on  either  to  develop  the  features  or  func>onality  described  or  to  include  any  such  feature  or  func>onality  in  a  future  release.  

 

Splunk,  Splunk>,  Splunk  Storm,  Listen  to  Your  Data,  SPL  and  The  Engine  for  Machine  Data  are  trademarks  and  registered  trademarks  of  Splunk  Inc.  in  the  United  States  and  other  countries.  All  other  brand  names,  product  names,  or  trademarks  belong  to  their  respecCve  

owners.    

©2013  Splunk  Inc.  All  rights  reserved.  

2  

 Planning  for  a  Successful  Splunk  Deployment  

3  

!   Introduc>on  !   Architecture  –  Why  Things  MaWer  !   Hardware  and  Benchmarking  (Talking  to  your  Infrastructure)  !   Building  your  Team  !   Use  Cases  and  Collec>ng  Requirements  !   Service  Offerings  !   Managing  your  Project(s)  !   Expansion  and  Beyond  

About  Us  

!   Pete  Sicilia  manages  the  Client  Architect  prac>ce  at  Splunk  –  Client  Architects  help  Splunk's  largest  customers  and  make  sure  their  

deployments  are  planned  properly  and  executed  smoothly  –  He’s  been  a  Splunker  for  three  years  

!   Chris  Olson  leads  the  Technical  Services  team  for  the  Americas  –  Oversees  all  of  the  Pre-­‐Sales  and  Professional  Services  Engineers  –  He’s  been  at  Splunk  for  over  three  years  

4  

Summary  

!   This  class  is  to  help  you  plan  for  a  successful  Splunk  environment  with  the  proper  founda>on  to  scale  and  handle  the  needs  of  a  diverse  enterprise  

!   We’ll  look  at  architecture  considera>ons,  team  building,  collec>ng  requirements  and  defining  your  offerings  for  your  internal  customers  

5  

Why  are  We  Here?  

People,  Process,  and  Technology  

7  

Architecture:  The  Method  and  The  Madness  

 Architecture  is  Cri>cal…  

…But  it’s  not  everything    Must  understand:  !   People    !   Process  !   Policy  !   Splunk  design  constraints  

9  

 Architecture  !   The  basics  

–  Covered  in  other    sessions/Splunk  EDU  

!   Geo’s  –  Where  are  your  users?    –  How  many?  –  Where  is  your  data?  

!   Reten>on  and  search  window  !   Security  policy  !   Resiliency  (see  Service  Offerings)  !   User  experience/percep>on  is  key!  

10  

Hardware  and  Infrastructure  Teams  

11  

!   Physical/VM  –  Know  what  you’re  asking  for  –  Physical  cores  not  hyperthreading    –  (cat  /proc/cpuinfo  is  your  friend)  –  Dedicated  cores  vs.  conten>on  –  Would  you  run  your  produc>on  customer  facing  DB  on  that?  

!   Local  disk  vs  SAN  –  Storage  is  cri>cal  for  Splunk  –  Dedicated  IOPS  not  cumula>ve  –  Run  IOZone  or  Bonnie++  –  Conten>on  again…  –  You  know  what  you’re  gepng  with  local  disk  –  SSDs?  Yes  please!  

Building  Your  Team  

 The  Splunk  Core  Team  Mission  Statement  

13  

!   The  overall  goal  of  your  Splunk  Core  Team  is  to  discover  and  develop  new  use  cases,  support  the  Splunk  infrastructure,  create  original  content  and  onboard  and  assist  the  user  community  

!   Within  this  team  there  will  be  mul>ple  roles  of  differing  skill  sets,  both  business  and  technical  

!   You  might  decide  that  some  roles  are  in  the  core  team  and  some  are  farmed  out  to  the  business  units  

!   You  will  find  that  you  will  want  to  tailor  your  offerings  to  the  business  community  based  on  use  case  and  business  impact  

Crea>ng  a  Core  Splunk  Team  

14  

 The  Admins  

15  

!   Admins  are  responsible  for  the  Splunk  infrastructure  !   They  manage  the  Splunk  soTware  and  administer  users  !   Customers  oTen  split  the  admin  team  into  ini>al  deployment  and  ongoing  support  (Ops)  

!   Your  admins  should  be  the  first  through  Splunk  training  as  they  will  shadow  the  Splunk  Professional  Services  team  during  the  ini>al  deployment  

! Splunk  admins  should  have  a  solid  background  with  the  selected  hardware  plaqorm  and  in  Unix  or  Windows  administra>on  and  have  experience  running/managing  applica>ons  

 The  Developers  

16  

!   Developers  code  new  Splunk  searches  and  dashboards  !   Developers  usually  work  closely  with  the  Splunk  admins  ! Devs  also  should  have  familiarity  with  the  required  data  sources  both  internal  and  external  to  Splunk  

!   Your  devs  should  be  the  next  through  Splunk  training  as  they  will  help  onboard  data  and  write  searches  for  the  individual  use  cases  

! Splunk  devs  typically  have  experience  with  scrip>ng,  HTML,  CSS  and    query  languages  

 The  Business  Role  

17  

!   The  business  role  help  define  new  use  cases  !   They  interview  new  business  units  and  capture  broad  use  cases  and  detailed  business  requirements  (see  the  Deployment  Doc)  

!   The  business  role  works  closely  with  the  devs  to  make  sure  that  project  requirements  are  delivered  to  scope  and  with  the  admin  team  to  make  sure  SLAs  are  met  

!   They  also  help  rank/priori>ze  new  projects  based  on  business  impact  !   OTen,  this  team  designates  one  or  more  of  its  members  to  take  on  the  role  of  Project  Manager  

Splunk  Educa>on  

18  

!   Admins  –  Architec>ng  and  deploying  –  Admin  

!   Developers  –  Advanced  search  and  repor>ng  –  Developing  

!   Business  roles  –  Advanced  search  and  repor>ng  –  Project  management  

Use  Cases  and  Service  Offerings  

 Service  Offerings  

20  

!   The  next  step  is  to  define  your  service  offering  based  on  the  audience  and  their  business  impact/cri>cality  

!   This  will  in  turn  drive  your  infrastructure  decisions  including  considera>ons  for:  –  Availability/resilience  –  Performance  

!   Customers  oTen  find  that  they  deliver  mul>ple  classes  of  service  

!   “Units  of  Splunk”  

Class  C  Offering  

21  

!   “The  Kiddie  Pool”  !   Shared  Splunk  infrastructure  !   Used  to  group  smaller,  simpler  use  cases  

into  an  inexpensive  hos>ng  model  !   You  do  have  to  watch  for  capacity  by  use  

case  or  department  !   Extremely  easy  for  chargebacks  !   Basic  security  !   Lowest  SLA  !   Use  cases  that  outgrow  this  model  can  

migrate  up  to  class  B  

Class  B  Offering  

22  

!   Mul>ple  use  cases  !   Federated,  dis>nct  clusters  !   Search  heads  and  indexers  dedicated  to  use  

cases  prevents  cross  use  case  conten>on  !   Possible  cross  use  case  repor>ng  (adds  to  

chargeback  considera>ons)  !   Managed  centrally  !   Standard  kit  –  “Units  of  Splunk”  !   Good  security  !   Moderate  SLA  !   Easy  to  determine  capacity  and  chargebacks  

Data  Center  1  

Class  A  Offering  

23  

!   Highest  value  use  case(s)  !   Fully  dedicated  to  a  single  use  case  or  business  unit  

!   Fully  resilient/HA/DR  !   Highest  security  !   Bespoke  hardware/storage  op>ons  

!   High  performance  !   Long  reten>on  !   Specific  search  requirements  !   Tightest  SLA   UForwarder  Pool    

 Deeper  Considera>ons  for  Service  Offerings  

24  

!   Refer  to  your  service  defini>ons  and  SLAs  –  How  much  custom  development  effort?  –  Is  infrastructure  resilience  in  play?  

!   Are  you  able  to  determine  data  volume  by  use  case/business  unit?  !   Data  reten>on  and  search  window  !   Users  and  roles  with  privilege  

–  Search  experts  –  Basic  users  –  Email  users  

!   Total  search  resources  used  !   Search  speed/performance  Of  course  all  of  these  play  into  your  considera>ons  for  chargebacks  

Managing  Your  Project(s)  

 Plan  for  Success  

26  

!   Start  off  by  thinking  where  this  will  go  when  it’s  wildly  successful  !   Go  to  the  well  once  -­‐  with  a  liWle  extra  capacity,  you’ll  have  overhead  to  work  on  new  use  cases  without  another  phase  of  architecture  and  procurement  

!   You’ll  also  find  that  mul>ple  groups  might  want  access  to  the  same  data  and  having  extra  capacity  keeps  groups  from  stepping  on  each  other  

!   Consider  adding  a  Splunk  Center  of  Excellence  to  introduce  new  users  and  use  cases  to  Splunk  with  minimal  effort  

! Splunk  has  Professional  Services  offerings  specifically  geared  to  help  with  COE’s  

 Expansion  

27  

!   There  are  different  factors  to  expansion  depending  on  if  you’re  adding  –  New  use  cases  –  New  data  sources  –  New  users  –  More  volume  –  New  regions  

!   If  you’re  con>nuing  your  deployment  with  “more  of  the  same”  you  can  probably  just  add  Splunk  servers  to  your  current  cluster  

!   If  your  expansion  adds  a  new  class  of  service,  or  geography  you  will  likely  want  to  add  another  Splunk  environment  to  handle  it  

! Splunk  has  Professional  Services  offerings  to  help  with  expansion  and  capacity  planning  –  We’re  here  to  help!  

Key  Takeaways  

28  

!   Don’t  forget  people  and  process  –  cri>cal  to  success  for  any    Splunk  deployment  

!   Leverage  and  partner  with  your  internal  teams  !   Think  longer  term,  plan  for  change  !   Your  Splunk  team  is  here  to  help  –  account  team,  PS,  educa>on  

Next  Steps  

29  

Download  the  .conf2013  Mobile  App  If  not  iPhone,  iPad  or  Android,  use  the  Web  App    

Take  the  survey  &  WIN  A  PASS  FOR  .CONF2014…  Or  one  of  these  bags!    View  the  sessions  listed  on  the  next  slide  All  sessions  are  available  on  the  Mobile  App  

1  

2  

3  

Interes>ng  Sessions  

!   Check  those  sessions  on  the  Mobile  App  if  you  missed  them:  –  Best  Prac>ces  and  Lessons  Learned  from  Splunk's  Professional  Services  –  Best  Prac>ces:  Deploying  Splunk  on  Physical,  Virtual  and  Cloud  

Infrastructure  –  Delivering  Large  Scale  Deployments  by  Thinking  Small:  A  "How-­‐to"  by  

Yahoo!  –  Architec>ng  and  Sizing  Your  Splunk  Deployments  

30  

 Ques>ons?  

Thank  You  

Appendix  

Frequent  Chargeback  Items  

34  

Hardware  

!   Servers  !   Storage  

Labor  

!   FTE  !   Contractors  

SoTware  

!   Monitoring  !   Backup  

Splunk  

!   License  !   PS  !   Training