Editor’s Note: Jim Barge is a co-founder of SP6.
When you make a big investment in a solution for your company, you want it to deliver results. But when it comes to Splunk, some organizations fail to use this powerful software, including its data analytics, to its full potential. I’ve seen it with our own clients.
There are a number of ways to get more value from Splunk, and this is one of them:
Develop Analytic Wins
Some organizations spend way too much time upfront loading data into Splunk. I know it’s an important step. After all, you can’t generate analytics on non-existent data.
However, I don’t always see the same effort put into front-end Splunk tools, such as reporting, alerting, and dashboarding.
You didn’t buy Splunk to serve as a log repository. You bought Splunk for its analytic capabilities. From my experience, the best way to develop analytic wins is one use case at a time.
Here’s an example. An organization I worked with used Splunk strictly for security. They had over a dozen data sources being ingested into Splunk, yet they didn’t enable a single security alert. Why? Because they didn’t want to be overwhelmed with alerts.
We advised the client to begin with four security alerts. After those ran for a week or so, we applied extensive tuning to the queries to reduce false positives. (At this point, the CISO told us he didn’t want us to bombard their team with alerts.)
Once certain queries were enabled and tuned appropriately, we moved on to another set.
Here’s my point. You need to:
- Get out of the batter’s box.
- Identify a small number of use cases and get them working* in Splunk.
- Roadmap additional use cases.
- Act upon these use cases.
- Set weekly or monthly targets tied to their enablement, configuration, and tuning.
- Focus on getting wins as measured by alerts concentrating on particular use cases.
*By working, I mean tuned to reduce false positives. A monitoring tool shouldn’t work as a giant alert generator. The alerts must be meaningful.
In Closing
I hope this tip will help you get more value from Splunk. It’s a product with tremendous analytic capabilities. If you use Splunk to its fullest extent, you can drive your organization to new levels of success. If you have questions or need additional assistance, contact us.
