Skip to content

Architecting Splunk Primer

KGI Avatar

Written by: Kinney Group | Last Updated:

April 19, 2024
Law of Increasing Marginal Returns

Originally Published:

June 13, 2022

If you’re just starting out with Splunk, you most like won’t be expected to architect or implement your Splunk environment from scratch. (That type of project is usually — and highly recommended to be — led by or assisted by Splunk-certified professionals.) That said, maybe you’re trying to spin up a Splunk sandbox, joining an existing team and need to come up the curve, or you’re looking to improve your existing architecture. This article covers Splunk environment architecture on-prem vs. Splunk Cloud.

Regardless of your situation, there are a few considerations when taking a look at your Splunk environment’s architecture:

Splunk On-prem vs. Splunk Cloud

Splunk environment architecture on-prem vs. Splunk Cloud is one of your first decisions. While on-prem deployments of Splunk have a variety of infrastructure considerations, Splunk Cloud presents some compelling benefits — simply forward your data to Splunk Cloud, and it will “automagically” make sure you have the resources you need to handle the data. Data is also managed securely and efficiently.

Splunk Cloud also introduced Workload Pricing rather than ingest-based pricing. This allows you to ingest all the data you want, and only pay for what you actively use (workload).

Splunk workload pricing quadrant
What’s the best choice for you?

Do you prefer to have Splunk running locally and have control over your hardware and infrastructure components? Or do you prefer to let a third-party manage the infrastructure and only concern yourself with the results you’re getting from the data? (That’s not a trick question, by the way — there are pros and cons with each approach that are entirely dependent on your organization’s unique needs and requirements.)

Splunk Validated Architectures

If you choose an on-prem approach for your Splunk deployment, there are a variety of solutions that can help you get started. One such solution is leaning on Splunk’s catalog of Splunk Validated Architectures (SVAs).

Splunk’s product documentation is excellent, but there are gaps relative to architecture, best-practices, and — frankly — what works. And it makes sense. Everyone has different needs, so documentation couldn’t realistically cover every possible scenario. SVAs provide standardized “blueprints” for deployment you can leverage that Splunk has vetted.
Check out the “Splunk Validated Architecture” white paper from Splunk for more information.

Of course, SVAs are just a starting point. Kinney Group’s team of Splunk-certified experts would love to help you figure out what would work best for your specific needs.

Use Cases

Determining your approach to architecture has a lot to do with the data you need to bring in. If you find yourself stuck on architecture design, it may be helpful to start with your use case and work out from there.

If your primary use case is compliance, for example, you’ll need an architecture and environment that allows you to keep data ingested for a period of time, makes it accessible for another period of time, makes audits easy and as pain-free as possible, etc. If you’re a system administrator, you’d be bringing in different data sets and have different expectations of how to work with that data. Security your main focus? Insider threats? Application Management? You’d have an entirely different set of expectations and needs.

We recommend taking a look at Splunk’s Use Case Definitions and Use Case video library for more details (particularly helpful for beginner and intermediate Splunk users).

DIY vs Professional Services vs MSP…

While it’s possible to architect a ground-up solution yourself (if you have the right team in place), you may be better served to engage with Splunk architecture experts that know the right questions to ask, the best way to meet your unique needs, and have the expertise to mitigate risk and create opportunities for success with the platform.

One word of caution, however — traditional professional service providers tend to “blow in and blow out.” They may answer the mail for the immediate need, but often leave the internal team without the tools and knowledge they need to be successful and enjoy continued success.

With nearly 700 Splunk engagements under our belt, we’ve learned a lot about providing incredible solutions that are sustainable. Our approach is to empower the Splunk Creators who will be tasked with making the environment produce results by bringing them alongside each step of the journey, providing knowledge transfer throughout the process, and leaving them with what they’ll need to be successful long after our engagement has ended.

We’d love the opportunity to talk to you about your Splunk environment and architecture needs. Click here to schedule a quick meeting with a member of our team.

Helpful? Don't forget to share this post!