Are you considering Splunk’s cloud-based software-as-a-service (SaaS) solution?
If so, you’re in good company. Splunk Cloud is an increasingly popular alternative to deploying Splunk on-premises, or in your own cloud environment. This is because Splunk Cloud:
- Removes the necessity of buying and managing the Splunk infrastructure.
- Eliminates a significant portion of the administrative overhead tied to Splunk software.
- Makes it unnecessary to hire a full-time Splunk administrator, or allows existing staff to spend less time on platform administration.
You might be thinking that adopting Splunk Cloud will free your organization of any Splunk Cloud responsibilities. However, that isn’t the case.
In order to clear up any confusion, we’ve created a downloadable guide to the Splunk Cloud migration process. It explains what Splunk Cloud will take off your plate – and what it won’t. Once you understand who is responsible for what, you’ll be able to maximize the benefits of Splunk.
Splunk administration
There are three broad activities taking place within Splunk:
- Data collection.
- Back-end Splunk administration (platform administration, i.e., engineering).
- Front-end Splunk administration (sometimes referred to as “Splunk development” or “content development”).
Data sourcing
Splunk starts by pulling in data from a wide variety of sources. This is engineering-based work. Data collection is accomplished in different ways, which we’ll explain later.
Platform administration
Back-end administration includes the deployment and maintenance of the various Splunk instances or components. This is also engineering-focused work. Splunk software has many components, but the two key elements are:
- Indexers, which store the data.
- Search heads, which processes queries, searches and alerts.
Front-end Splunk analytics development
This includes building reports, dashboards, queries and alerts within Splunk. It’s also referred to as content creation.
In some organizations, end-users carry out front-end Splunk duties. For example, security analysts, systems administrators, developers, business analysts and others who use Splunk daily. In this scenario, Splunk does not manage these duties.
Meanwhile, in other businesses, end-users open tickets with requests for reports, queries and alerts. Handling these is the responsibility of the organization Splunk administrator, who has the Splunk expertise the end-users rely upon.
What does Splunk Cloud alleviate?
Splunk’s SaaS model shifts the administrative burden of managing search heads and indexers in Splunk’s secure cloud. This, in turn, will alleviate the following:
- Cost and overhead tied to administering and procuring technology infrastructure Splunk sits on. This includes servers, software, storage and security.
- Tool and platform administration, since you don’t have to perform Splunk or OS upgrades; or firewall changes for anything related to a Splunk search head or indexer.
In addition, Splunk Cloud minimizes organizational risk, because you’ll no longer have to face:
- Putting Splunk administration (search head/indexer) responsibility in the hands of one or two individuals, whose departure could create significant issues, and
- Splunk being administered by someone without subject matter expertise.
An improper Splunk configuration could create difficulty with scalability, as new users or components are added to the stack over time. It could also lead to poor system performance in the form of slow queries and missing log data, among other things.
Which does Splunk Cloud NOT alleviate?
When you migrate to Splunk Cloud, you don’t eliminate data collection, analytics development, or domain advisement/maturity roadmaps. These Splunk Cloud responsibilities remain with you.
Data collection
Once the migration to Splunk Cloud is complete, you will still continue to manage your data collection infrastructure. This includes the data collection portion of the Splunk stack:
- Splunk Universal Forwarders on client endpoints (normally Linux and Windows Servers).
- Splunk’s Deployment Server, to manage UF instances.
- Syslog servers collecting data from infrastructure systems (firewalls, IDS, UPS, etc.).
- Heavy Forwarders, which collect/parse information from databases or third-party systems.
- HTTP event collector, which obtains data from custom applications (Java, .net, JavaScript, etc.).
- Splunk Stream, which captures wire data and outputs raw or statistical info about the data.
We call these the data collection and parsing components. Why can’t they be managed by the Splunk Cloud operations team? Because Splunk is ingesting log data residing in your environment.
The key value driver is not Splunk setup and maintenance. It’s the front-end content creation: alerts, reports, dashboards and queries.
Analytics development
Our experience has shown the typical Splunk user is under-trained and lacking in software skills. (More on that in a minute.) This is important to point out for a few reasons.
First, Splunk Cloud operations don’t perform content creation.
Also, your organization will need to develop the ability to build queries in Splunk to create reports, dashboards and alerts. And, you’ll have to manage tuning queries, which will reduce false-positive alerts and spend less time responding to those alerts.
How does SP6 know users lack knowledge? We surveyed Professional Services (PS) Splunk SMEs who collectively have delivered over 500 PS projects. We asked them to rate on a scale of 1 to 10, the overall Splunk capabilities of the typical Splunk user at client companies. The average was 3.25.
There is a hump users must surmount regarding Splunk query language. For the first-time user, even simple commands can prove daunting. Therefore, improving user proficiency is a must. Users can accomplish this with help from others (i.e., Power User, services partner), time with the product, and a commitment by the organization and the users to gain formal knowledge of the product.
Were you aware your organization could realize up to a 90% reduction in incident investigation or troubleshooting time with Splunk?
But it’s not through the setup and maintenance of Splunk. The key value comes from front-end content creation. This includes alerts, reports, dashboards and queries.
Domain advisement and maturity roadmaps
Here’s another aspect of Splunk that Splunk Cloud doesn’t address. It’s the maturation of security detection, enterprise monitoring, or other analytics within your organization.
You’ll see improvement accelerate in those areas when your organization engages a team of domain experts who understand what you want to achieve. They’ll be able to show you how to reach those goals faster and better with Splunk.
By understanding businesses drivers, you’ll be able to quickly develop new ways to search for data, visualize it and enrich it. You’ll also be able to create new ways to select and assist with onboarding key data sources, alert and troubleshoot missing log sources, and interactively train users.
Splunk Cloud responsibilities: in summary
Now, you have a better sense of who manages which Splunk Cloud responsibilities.
When you transition from on-prem to Splunk Cloud, you lift the burden of managing several components of the Splunk stack – search head/indexer/Add-Ons. But the organization will continue to carry some Splunk Cloud duties.
To get the maximum value out of this powerful tool, we strongly recommend you partner with Splunk SMEs who can:.
- Manage, scale and troubleshoot log collection (forwarder) infrastructure.
- Assist with the creation of key queries, reports, dashboards, and alerts.
- Optimize queries to reduce false-positive alerts.
- Provide domain expertise tied to use-case recommendations and prioritization.
SP6 can help
Does your organization lack Splunk-certified team members? Or could you benefit from additional Splunk expertise? If so, our cybersecurity and information technology observability specialists can work with you to ensure your systems are protected and highly performant.
Get in touch to learn more about our Managed Services options and set up a no-obligation, complimentary consultation. And check out these Splunk resources.
