Empower IT Operations with Splunk MLTK for Automated Insights

Automated pattern discovery against large data sets is now commonly called AIOPS. Read on as we explore the ways AIOPS can be facilitated by Splunk to uncover meaningful insights for Operations.

IT Operations History

IT Operations has traditionally been the domain of silo tools that specialize in one area of operations and are lacking or non-existent in others. Operations personnel then had to open each of these tools and understand the data contained within. IT Operations was time consuming and often had to rely on instinct and gut-feelings instead of being based on evidence.

With the rise of big data, we saw platforms like Hadoop and tools like Splunk come along and help greatly with reducing the need for separate silos. With making data available to operations as a whole, each member was empowered to gain insights faster. Operations personnel codify their expertise and create alerts and searches, which then share that experience with others in their organization.

The next progression is to step into machine learning. That is, initial algorithms are set, and then the programs running the algorithms use actual data to gain increased understanding of the data. In short, the machine learns how best to understand the data, and it then uses that data to make actionable insights. This last part sounds like something available to us only in the distant future, but it is actually available today within Splunk using the Machine Learning Toolkit (MLTK). Using the Splunk MLTK, operations personnel are able to reap the rewards that comes from AIOPS.

AIOPS

There are multiple ways to define what AIOPS is. The original acronym would define AIOPS as Artificial Intelligence Operations, but the term has deviated enough in industry that we’re going to back off the artificial intelligence side and focus on the machine learning side. After all, we’re less hunting for Sarah Connor, and more wanting to know when our hardware is going to crash. And since we are focusing on Splunk, we can look at the MLTK.

Machine Learning & Data Science

The gist of machine learning is to provide systems with the ability to learn. That is, we give the systems algorithms to start with, and they can adapt based upon data, make classifications, and make decisions with little to no human intervention.

The Splunk Machine Learning Toolkit

The MLTK is a Splunk app, which is free by the way, that helps to create, validate, manage, and most importantly, operationalize, machine learning models. The MLTK includes a variety of algorithms including several hundred from the Python for Scientific Computing Library, that give the power to try different algorithms to find the right insights for your data.

Two Example Scenarios
  • Resource Management — when we’ll need more capacity
  • Systems breaking — identify the items that are indicative of forthcoming system failures

 

Looking Forward with Splunk MLTK

We are in a new day and age of IT Operations, where many manual processes can start to be automated with the help of these tools. Putting the power of Splunk’s MLTK into the hands of your IT Operations personnel can empower them to begin a transition to a more automated approach to their everyday work. Such as, being able to investigate and troubleshoot a problem before you even see the effects of what may be going on. This approach is not mainstream—and may be daunting to some—but now is the time to get a grasp on the next generation of IT Operations.

Want to know what Splunk MLTK do for you and your organization? You can actually get access to Kinney Group’s deep bench of Splunk experts, on demand. Check out our Expertise on Demand for Splunk service offering for more information on our various packages and let us know how we can help unleash the power of Splunk.

About Kinney Group’s Splunk Practice:

Splunk AwardThe Kinney Group team has the deepest bench of Splunk expertise in North America. Our team provides a comprehensive Splunk customer experience across multiple disciplines including Splunk Enterprise, Splunk Enterprise Security (ES), IT Services Intelligence (ITSI), and custom use cases in the areas of compliance, IoT, and machine learning. Kinney Group highlights include:

  • A Top Global Splunk Professional Services Practice
  • Splunk Elite Partner
  • Splunk Public Sector Services Partner of the Year
  • Experience with 300+ projects delivered nationwide and overseas
  • Application development expertise for the Splunk platform

Visit www.kinneygroup.com/contact-us or call us at (317) 721-0500.

4 Splunk Stream Tricks of the Trade

Splunk Stream

Splunk Stream is a purpose-built wire data collection and analytics solution from Splunk. Splunk Stream can be one of the most robust products Splunk offers as a free addition to your Splunk Enterprise environment.

However, some of us know that Splunk Stream can be daunting to setup and utilize to its full potential. With that in mind, let’s jump into some tips and tricks of the trade for working with the Splunk Stream.

1. One Simple REST Call

  • The Stream REST API is a powerful function, and one simple REST command can help you power through configuring Stream Forwarders. One of the most common errors that is seen when deploying a Stream Forwarder is “Unable to ping server.” At times it can become difficult in determining whether this issue lays within your configuration or a network configuration.
    • Utilizing the following curl command helps determine whether you have the correct App location: curl http://<stream_app_server>:8000/en-US/custom/splunk_app_stream/ping 
  • Using this command before deploying the Stream Add-on, or Independent Stream Forwarder, can help determine if the Stream Forwarder can access the Stream App within your deployment.

2. Independent Stream Forwarder or Stream Add-on?

  • Planning a new deployment, or the addition of a forwarder can spring the above question, should I install an ISF or the Stream TA on a Universal Forwarder? The answer to this can vary by environment and collection method. But as with any Splunker, I love my data!
  • From the above charts you can start to compare the performance benefits of the ISF. Although your environment may never reach the ingestion rate at which you start to see dropped events from the Universal Forwarder, it is a peace of mind knowing that your forwarder can handle considerable amounts of data

3. Hunting Down Suspicious Subdomains using URL Toolbox

  • You can perform some simple Stream hunting just utilizing DNS data. With DNS data from Stream you can start to investigate suspicious DNS queries and subdomains from within your environment. You can empower your investigations by utilizing this URL Toolbox link.
  • For example, if you perform a Splunk search for your stream:dns data, then after populating the query value you can pass the queries to the URL Toolbox. This allows you to filter out URLs that you know are not suspicious and ones that don’t have a Top Level Domain. You can take this a step further by utilizing the URL Toolbox to calculate entropy values of the subdomains, and sort to see the highest scores. (The higher the score, the more randomized the URL is) Taking these scores into account, you can start digging into specific IP investigation.

4. Splunk Stream on a Raspberry Pi

  • Of course it can work! One Splunk engineer put the Independent Stream Forwarder to the test to see how light-weight it really is. The Raspberry Pi is a cheap and easy way to play around with the possibilities of Splunk Stream. You could even implement this at home environment to add even more capabilities to your own lab environment. In fact, here is a link to the Splunk forwarder for Linux ARM download, which is installed on the Raspberry Pi for Splunk forwarder capabilities.
  • This is a great example of the power of a Stream Independent Forwarder. The Raspberry Pi in my home environment is currently running as a Pi Hole, but I am going to implement the Streamfwd to run some searches and create dashboards of the queries and how the Pi Hole handles them.

Splunk Stream

 

Need help with Splunk Stream? You can actually get access to Kinney Group’s deep bench of Splunk experts, on demand. Check out our Expertise on Demand for Splunk service offering for more information on our various packages and let us know how we can help unleash the power of Splunk.

About Kinney Group’s Splunk Practice:

The Kinney Group team has the deepest bench of Splunk expertise in North America. Our team provides a comprehensive Splunk customer experience across multiple disciplines including Splunk Enterprise, Splunk Enterprise Security (ES), IT Services Intelligence (ITSI), and custom use cases in the areas of compliance, IoT, and machine learning. Kinney Group highlights include:

  • A Top Global Splunk Professional Services Practice
  • Splunk Elite Partner
  • Splunk Public Sector Services Partner of the Year
  • Experience with 300+ projects delivered nationwide and overseas
  • Application development expertise for the Splunk platform

Visit www.kinneygroup.com/contact-us or call us at (317) 721-0500.