6. End to End Correlation With Splunk Enterprise
Reduce Costs: Consolidate tools, eliminate silos, find root cause faster!
Exchange
Admin
Linux/Win
Admin
Network Admin
Applications
Admin
Line of
Business User
Application
Support
VMware/Linux/
Win Admin
Security Admin Storage Admin IT
Management
Quick introduction:
Who am I?
Who else will be presenting with me?
Get to know the audience:
I’m curious:
How many of you use Splunk software today? What about in a production installation?
How many of you have security in your job title?
How about IT operations or Application Management?
Any Data Analysts or Data Architects amongst you?
Splunk Enterprise is fully featured, platform for collecting, searching, monitoring and analyzing machine data and getting operational intelligence. You can monitor both real-time (as the data is streaming) and historical data. Splunk collects machine data securely and reliably and scalably from wherever it’s generated in any formant, time series data,which means log files but also performance metrics. Talk ingestion types 1) Agent 2) Agent doing API, 3) Syslog. It stores and indexes the data in real time in a centralized location and protects it with role-based access controls. In centralizing the data and providing a consistent interface you can troubleshoot things related network problem and very easily correlate their impacts on your applications, all this in a matter of minutes not days. //Monitor your end-to-end infrastructure to avoid service degradation or outages. Gain real-time visibility and critical insights into customer experience, transactions and behavior. // As you move up you move from Search and Investigation of issues onto proactively monitoring problems and catching them before they happen, full operational visbilitly and finally ending at OI level 4 where Splunk starts giving you real time insights into your IT operations.
<click>We don’t require you to understand your data and have predefined schema and requirements. You don’t need to have expensive custom connecters to get data into Splunk. We have our own map reduce based high speed data index and retrieval mechanism. We can index the data from any part of your infrastructure. We scale from a single server to petabytes of data and you can use commodity x86 hardware. And you can store data in the cloud as well if you don’t want to manage your Splunk instance. So what you can start getting into the core of the problem, If you have a system that does not have proactive capabilities you can do that with Splunk Enterprise. And expand from there into security, capacity planning applications management – truly big gold mine of use cases from your data. And our customers once they star to gain that operational visibility they evolve to getting deeper insights from your data. No database in the backend as we apply schema on the fly. You need raw data to be able to re-use it. We are creating intelligence on top of the data therefore easy scaling.
And what can you use this data for? You have specific individual business need. Splunk is flexible and in you have a performance issue you can move into the root cause analysis of that problem. And more into proactive monitoring. You want to understand how your users are interacting with your website and which content is popular you can do that with Splunk. You can forecast and plan for enterprise growth you can do that. Understand insider threat or security breaches – We have an App for that?. The key point I would like to ask you to remember is that Splunk enables you to make informed analytics driven decisions across your enterprise.
So now, no mater what is your administrative area, you want to have cross-tier insights across the environment. How many times you have had complaints from applications guys that there is a big latency on the storage side or as a virtualization admin, you may need to allocate additional resources add more CPU cores to boost user performance and applications. Or as OS admin, you see that your OS is showing correct storage utilization but you still have application running slow. This is because each one of the IT professionals are looking into the isolated tools. They do not have insight into other siloes. That is what our apps deliver and is a core functionality of Splunk as platform. If you have an Exchange running on top of VMware/hypervisor, Windows, over Cisco ACI and with attached storage. You can use Splunk as a platform to help you get insight into how your business service is performing. It is central and easy for Splunk because we look at this just as another data source
Splunk, when used for application management addresses all the gaps with traditional management tools. It aggregates your data, provides you with a central view and time based correlation – speeding up root cause analysis and problem investigation. It presents views that span many different systems AND it provides rapid drilldown to the actual unfiltered data.
With Splunk’s role-based access controls, developers and Tier 1 personnel both can have access to production system information like logs, events, metrics, without needing access to the systems themselves. IT no longer has to hunt through server by server or device by device to find a problem and no longer has to ship log information / metrics information over to dev – with developers getting access to the right data, problem resolution also becomes faster.
Tier 1 personnel can get their own views over the data and be empowered to solve routine investigations themselves without needing to escalate.
Splunk can monitor proactively across ALL technologies, and can retain knowledge of issues, helping avoid them in the future. Turn any Splunk search, the output of any investigation into an alert and prevent recurring problems in your infrastructure.
And with its ability to talk to ALL data, Splunk can track transactions that span multiple technology types. Its powerful search language allows you to easily measure transaction times, detect anomalies and report on true SLAs. With easy charting/graphing and other forms of visualization, Splunk provides the right views to the right set of stakeholders.
Splunk, when used for application management addresses all the gaps with traditional management tools. It aggregates your data, provides you with a central view and time based correlation – speeding up root cause analysis and problem investigation. It presents views that span many different systems AND it provides rapid drilldown to the actual unfiltered data.
With Splunk’s role-based access controls, developers and Tier 1 personnel both can have access to production system information like logs, events, metrics, without needing access to the systems themselves. IT no longer has to hunt through server by server or device by device to find a problem and no longer has to ship log information / metrics information over to dev – with developers getting access to the right data, problem resolution also becomes faster.
Tier 1 personnel can get their own views over the data and be empowered to solve routine investigations themselves without needing to escalate.
Splunk can monitor proactively across ALL technologies, and can retain knowledge of issues, helping avoid them in the future. Turn any Splunk search, the output of any investigation into an alert and prevent recurring problems in your infrastructure.
And with its ability to talk to ALL data, Splunk can track transactions that span multiple technology types. Its powerful search language allows you to easily measure transaction times, detect anomalies and report on true SLAs. With easy charting/graphing and other forms of visualization, Splunk provides the right views to the right set of stakeholders.
With the Splunk App for Stream, customers can now unlock the full potential of their machine data by adding wire data to the Splunk software platform. Correlate application and infrastructure data such as logs, events, metrics with wire data to gain valuable insights into application and infrastructure performance, find the root cause of operational issues, understand transaction paths, resolve system downtime, identify infrastructure relationships, assess security threats and understand customer behavior. Enhance Operational Intelligence for IT, security and the business with wire data analytics, enabled by Splunk software.
Splunk App for Stream captures wire data from end points and key network locations to provide additional insight into how applications are performing, without requiring any instrumentation. Wire data collected by Splunk App for Stream provides granular data on transaction response times, transaction traces, transaction paths, network performance, and even database queries. Wire data effectively complements the kind of metrics often gathered by traditional APM tools, which often focus on specific transaction components. Also, Splunk App for Stream does not require instrumentation of the application itself, so you can gather performance information across the application without developers instrumenting the application or modifying application logs.
About Agency:
Manitoba Hydro is the electric power and natural gas utility for the province of Manitoba, Canada. Approximately 98% of the electricity it produces is clean, renewable power generated at 14 hydroelectric generating stations.
Challenges:
Manitoba Hydro’s 6,300 employees are spread out throughout the entire province (in the field or in multiple offices throughout), so communications applications and systems are mission critical – especially the MSFT Exchange and Blackberry Enterprise Server messaging environments. Monitoring, alerting, and troubleshooting these environments were critical, but they relied upon several tools and homegrown scripts. They wanted to consolidate the tools used on a single platform, as maintenance costs for these various tools were rising.
With Splunk:
By using Splunk Enterprise and the Splunk App for Microsoft Exchange, Manitoba Hydro was able to index, search, and analyze unlimited amounts of data from Exchange servers and other systems in real time. By eliminating the other tools and the need for additional solutions, Manitoba Hydro estimated that they saved approximately $50,000 in software licensing and maintenance costs (over a period of 5 years).
The messaging environment includes more than two dozen Exchange servers, Blackberry servers, and Cisco IronPort email Security Appliances. Because security is also mission critical, Manitoba Hydro used the Splunk Cisco Security Suite and the Splunk App for Cisco IronPort ESA to provide a single, cohesive view that cuts troubleshooting from hours to minutes.
About Denver Water
Established in 1918, Denver water is oldest and largest water utility
Services 1.3 million people in the city of Denver and surrounding suburbs
More than 1,100 employees
Majority work in the field (working on pipes, distribution systems)
Challenge:
A deluge of machine data from logs and databases overwhelmed IT administrators, hampering efforts to pinpoint problems when users notified the help desk.
Goals:
Stop users from nagging the service developers with emails and questions
Provide a continuous integration – develop checks in code, build software from that, get it deployed in test environment, then test it
See what’s trending. What’s going on in the system and they wanted to make it visible for everyone to see.
With Splunk
Built dashboard for service health (services such as web services, REST services, essentially anything interfacing with backend systems -- geospatial data, work management, asset management, customer data).
Goal was to help their service developers and service enable the whole environment.
Now have visibility into-
Current performance and availability
Historical performance (so can see trends) and availability
Average daily performance
Recent issues (uptime, failures)
Other uses for Splunk –
Example: People in field, looking up customer info in front of house, had issues getting the data, casual connectivity in parts of data. One of the services not performing well. Used Splunk, analyzed data and found out what was causing the issue. Fixed it within minutes and put it back in production.
Example: They didn’t know if customers were using the features they built into applications. Using Splunk analytics they were able to determine the core sets of features the users were applying and those that were being ignored. Now, when the team is in the planning stage they can focus on how the users are actually using applications instead of building features that go untouched.
Example: A work order generated for a technician in the field to service a water meter at a customer location goes through an elaborate process in several systems. The order might have been generated with geospatial data and passed to the asset management system and then to the work management system, which delivers the order to the technician in the truck. Splunk is being used to monitor this workflow from end-to-end. In most cases, business users are not aware if things are not working because IT administrators receive alerts and proactively start managing the systems.
Quick introduction:
Who am I?
Who else will be presenting with me?
Get to know the audience:
I’m curious:
How many of you use Splunk software today? What about in a production installation?
How many of you have security in your job title?
How about IT operations or Application Management?
Any Data Analysts or Data Architects amongst you?