Trying to find the proverbial “needle in a haystack” can be overwhelming when it comes to getting data into Splunk. Customers are often in such a hurry to provide value from their new Splunk deployment that they start bringing in all their data at once. This can lead to data uncertainty. How do you find what is truly important when all of it seems important? It’s as if your organization is having an existential crisis. So, what do you do?
1. Identify your use cases
Here are some questions and common use case areas you’ll need to get answered to kick things off…
- Where are your employees spending most of their time?
- What reports do they have to create manually every month?
- What can be automated using Splunk?
Find the blind spots
- Where are your organizational blind spots?
- Do you know which servers are experiencing the most activity?
- Are the most active servers the ones you thought it would be?
Clarity on systems
- Are you planning for a major expansion or system adoption?
- Do you have enough resources to accommodate the number of users?
- Is access limited to only those users who need it?
- Do we have an effective means of capacity planning?
Look at the ROI
- Can we cut costs?
- Which systems or over or undersized?
- Do we need more bandwidth?
These and other questions are a good place to start to help you categorize your data needs quickly. Though you will probably not identify all your use cases at once, you will most likely uncover the most pressing issues on the first pass.
2. Prioritize your use cases
Once you have identified and the questions you would like to answer, you must arrange your data into categories based on their priority. The easiest grouping is:
These categories will help you segment the use cases into tasks that you should focus on immediately. Needs are things that will benefit the largest group of people and/or will potentially save your organization money in the long run. The needs are really what brings value to the way the business is run. Wants are things that will make a subset of users very happy to have but they could continue to function, albeit not as efficiently, if they had to wait a little while longer. Luxuries are cool to have, but probably satisfy a very specific niche request.
3. Identify your data sources
Once you have identified and prioritized the questions you would like to answer, you must identify which data will help you answer those questions. Make sure to consider which data sources will help you satisfy several use cases at once. This will help you correctly determine the size of your daily license and make sure you only focus on the data sources you need to address the needs and wants of your organization.
4. Identify your heaviest users
By creating a list of people who need access to each data source, you can correctly determine how large an environment is needed to support all the data sources you plan to bring in. It also helps when determining each user’s level of access. If a data source is widely popular, it may behoove you to create a dashboard and/or report to quickly disseminate important information that the users may need. It will also help size expansion of the environment.
By taking these four steps, users will not only feel like their needs are being heard, it will help them feel empowered to identify further use cases for future expansion. It will free up their time to focus on more complicated tasks and can mean the difference between them being proactive as opposed to reactionary. By taking the organization’s greatest needs into account, it can mean the difference between users adopting a Splunk implementation as their own and it being discarded as just another tool.
Stay tuned for Part Two to learn more on how to get your data into Splunk in the right way. Until then, take a look at Kinney Group’s specialized service offerings. Whether we can help you clean up your existing data or in getting data into your environment correctly, Kinney Group has the expert Splunk consultants to help you with just that.
Want to learn more? Fill out your contact information below!