Your team is up and running with Splunk. Now you want to maximize your investment and solve additional business problems. Hear how to expand beyond the initial use case. Learn how to how to capture, document and present Splunk's data and present impactful ways to calculate ROI using concrete metrics; cost savings, time savings, efficiency gains, and competitive advantage.
Presentation on how to chat with PDF using ChatGPT code interpreter
Taking Splunk to the Next Level - New to Splunk
1. Taking Splunk to the
Next Level for Management
Doug May
Director, Global Business Value Consulting
Splunk>
June 11, 2015
2.
3. Help Splunk document the projected and already
realized business value of making machine data
accessible, usable, and valuable for everyone
Common Deliverables:
› CFO-Ready Business Case
› Value Realization Studies
› Usage Maturity & Staffing Readiness
› Enterprise Adoption Roadmaps
› Customer and Industry Benchmarks
Business Value Consulting at Splunk
3
400+
Engagements
Worldwide
Since 2013
4. Focusing on Value Takes it to the Next Level
4
Your process requires it
Create and maintain visibility
Replicate success across the organization
Accelerate enterprise adoption
Maximize business results
5. Splunk is a Hidden Gem
5
Way cool,
dude.
What business
value do I get?
I’m invincible!
6. Top Challenges to Documenting Value
Lack of Splunk
and Industry
Benchmarks
x
Data
Lack of Tools to
Make Value
Measurement Easy
x
Tools
Not Enough
Time to Assess
Your Value
x
Time
7. Splunk Can Help Documenting Value
All Splunk Tools
Are Available to
All of You
ToolsTime
Tools, Content
and Team Will
Save You Time
Access to Splunk
and Industry
Benchmarks
Data
8. When You Document & Position Value…
8
Increased license 4X
Accelerated budget 6 months
Increased license 2X
Elevated to CIO
Increased license 10X
200GB to 2TB
Expanded from Ops to Security
Replaced legacy SIEM
From Security to Ops & Apps
Splunk made strategic
Splunk Now the Analytics /
BI Platform
splunk>
value
$$$
9. Best Practices for Documenting & Positioning Value
Taking your Splunk deployment to the next level
4
Measure and
Track Your
Success
1
Align with Key
Business
Objectives
Qualify and
Quantify
Business Value
2 3
Incremental
Steps with a Big
Picture Plan
10. Value is in the Eye of the Beholder
1
Align with Key
Business
Objectives
Did you know you can save
15% on your car insurance
when you call Geico?
Is that important to you?
Maybe it’s not.
11. Steps to Qualify Value
• Align your project with something strategic
• Talk with influential and knowledgeable people
• Document why something should change or be added
• Describe the current challenges or barriers
• Identify the “desired” state
• Summarize and socialize - gain support
Qualify and
Quantify
Business Value
2
12. Qualifying Value Example
12
Visibility to Environment Health & User Exp.
Brute force approach providing visibility to key
processes isn’t working and won’t scale
Operations still lacks complete end-to-end visibility
to the environment’s health, use and trends
Blinds spots still exist in monitoring and data access
for Operations which could help improve
troubleshooting and uptime / availability
Incident / Issue Notification
Brute force approach to proactive monitoring isn’t
working consistently and won’t scale
There’s a “Waterfall effect” – small issues go
without broader notification triggering other issues
eventually leading to a bigger incident
Users are aware of issues before Operations and
call the helpdesk
All the lights are “green” but still ~65% of incidents
overall are reported first by the business
Troubleshooting Incidents / Issues
Operations troubleshooting is cumbersome and
suboptimal
It’s still manual across IT silos
It’s difficult to find root cause of incidents quickly
Performance issues are difficult to resolve
Outages and impact are elongated due to manual
efforts and silos
Teams are distracted from their core work when
they’re troubleshooting
Recurring Incidents / Issues
The Problem Management process isn’t working
because there are many high severity incidents still
without root cause determined
As a result, Operations is solving the same problems
again and again
Opportunities exist to improve on incident avoidance
since @25%+ of incidents are repeats
DESIRED STATE VISION:
Complete visibility to
environment health & trends
across full application stack for all
stakeholders
Proactively avoid issues before
the business is impacted
Reduce MTTR with rapid root
cause analysis
13. Quantifying Value with Splunk Tools
Financial Analysis Made Easy
• Over 45 Value Calculators
• Driven by Actual Customer Results
• Complete Financial Analysis
• Best Practice TCO Models
Don’t Forget
• Follow the Impact
• Capture All the Value
• Summarize and Socialize
13
14. Interactive Value Assessment (IVA) Highlights
ThepowerofSplunkValueinasimplepackage
Target your business case Calculate value seamlessly
Be credible Deliver value on the spot!
Choose 1 or many
Groups
45 Value Calculators
Automatically surface
those that are relevant
Built-in Industry
Benchmarks and
Customer Case Studies
Presentation options of
benefit summaries &
financial analysis
15. ExecuteAgainst a Strategy
Take directional, incremental steps
• Avoid being reactive – don’t drive by data source
• Develop a plan to expand Splunk
• Link the plan to strategic company goals
• Use Splunk tools and benchmarks to document and
quantify the anticipated value
• Set baselines for success
• Commit to measure value realized post deployment
3
Incremental
Steps with a Big
Picture Plan
17. Measure & Track Success
Helping you take it to the next level
• Demonstrating success will help further the cause
• Tell the story of your Splunk usage
• Compare your success against Splunk customer
benchmarks
• Assess your usage and staffing maturity
• Then bring it all together
4
Measure and
Track Your
Success
Value
Realization
Usage
Maturity
Skills
Readiness
18. “We’re saving 27,000
hours/year, have reduced
downtime by more than 50%,
and our fraud team has
stopped over $10M with
Splunk. It’s invaluable.”
The Impact of Documenting Value
18
“We can search
syslog and we could
never do that
before.”
The Impact of Documenting Value
BEFORE AFTER
19. Measure Success with Value Realization
“Money follows money well spent”
• Summarize
BEFORE and
AFTER Splunk
• Capture
metrics of
improvement
• Socialize your
success
20. Usage Adoption Drives Value
Reactive
Search
and
Investigate
Proactive
Monitoring
and Alerting
Operational
Visibility
Proactive
Real-time
Business
Insight
21. Usage Maturity Assessment – IT & APP OPS
Drive expansion through highlighting value opportunities
21
Groups
% Data
Indexed
Log
Collection
Incident
Investigation
Root Cause
Analysis
Proactive
Alerting
Operational
Dashboards
Business
Analytic
s
Capacity
PlanningLevel 1
Triage
Level 2 &
3
Escalation
Virtualization 0%
OS - Unix 25%
OS - Windows 0%
Storage 33%
Network 100%
= Splunk fully in use = Splunk partially in use = Splunk not in use
22. Usage Maturity Assessments – SECURITY
Drive expansion through highlighting value opportunities
22
Data
Sources
%
Indexed
Log
Collection
Level 1
Triage
Monitoring /
Alerting
Investigations
Incident
Response
Compliance
Reporting
Routine
Log
Reviews
Threat Intel:
(3rd Party)
70%
Threat Intel:
(OS Blacklist)
70%
Network:
(Firewall)
90%
Network:
(IDS/IPS)
90%
Endpoint:
(PCLM)
80%
Access &
Identity Mgt
75%
= Splunk fully in use = Splunk partially in use = Splunk not in use
CurrentlyhandledbyMSSP
23. Usage Maturity Assessments – SECURITY CONTROLS
Drive expansion through highlighting value opportunities
23
Critical Control In Place?
Monitor unauthorized devices or software
Monitor unmanaged devices or software
Monitor configuration compliance
Monitor patch compliance
Monitor malware defense
Monitor application software security
Monitor wireless access control
Analyze audit logs with time-based correlation
Critical Control In Place?
Monitor use of ports, protocols, and services
Monitor controlled use of admin privileges
Monitor perimeter IDS
Monitor controlled / uncontrolled access
Monitor orphan, expired, miss use of accounts
Monitor potential exfiltration of information
Monitor secure IP restriction policies
Maintain data going back months
= Splunk fully in use = Splunk partially in use = Splunk not in use
24. Benchmarking Splunk Customer Success
Documented through 400+ engagements worldwide
24
IT & App Operations
15-45%reduction in high
priority incidents
70-90% reduction in incident
investigation time
67-82%reduction in financial
impact
5-20%increase in capacity
utilization
70-90% reduction in QA
defect/failure investigation
10-50%improvement in time
to market
10-50%increase in value for
key projects
70-90%faster detection and
triage of security events
70-90% reduction in incident
response time
10-50%reduction in risk of
data breach, IP theft, fraud
70-90%reduction in
compliance reporting time
App Development Security & Compliance
25. Benchmarking Splunk Customer Success
Documented through 400+ engagements worldwide
25
IT & App Operations App Development Security & Compliance
Reduced Sev1 and Sev2
incidents by 43%
Improved capacity utilization and
avoided $200k in infrastructure
Reduced troubleshooting time by 70%
and user impact by 40%
Went from 1 release/day to 8 with
Splunk and added no new staff
Reduced developer time
troubleshooting by 95% and
shortened their development
cycles by 30%
Reduced the number of security
incidents by 80% with faster detection
Reduced investigation
effort by more than 75%
Reduced the time to
report on SAS70
compliance by 83%
26. Splunk Staffing Readiness
Be sure you have the staff and skills to maximize value
26
A successful and scalable deployment of
Splunk relies on the orchestration of key
roles and responsibilities, primarily
centered around:
Architecture
Administration
User adoption (Power User)
Application development
27. Basic Communication Framework
27
Architect
Admin
Works with power users to determine
which data sources should be indexed
to meet each department’s needs
Scales the Splunk architecture to meet
business demand
Power Users Department Users
Adds data sources to the Splunk
platform according to business needs
Assist power users with the
development of advanced dashboards,
alerting and reporting
Maintains the Splunk SW and it’s
infrastructure for optimal performance
1 Power user per department
Provides basic support for new and existing reports
and dashboards
Works with their group to identify opportunities
where Splunk can provide value
28. Splunk Roles & Recommended Training
28
Splunk
Roles
Using
Splunk
Splunk
Administration
Searching
and
Reporting
Creating
Knowledge
Objects
Advanced
Searching &
Reporting
Developing
Apps with
Splunk
Developing
with Splunk
SDKs
Architect Required Required Optional Optional Optional Optional Optional
Admin Required Required Optional Optional
Power User Required Required Required Optional
Developer Required Optional Required Required Optional Required Optional
for Splunk on-premises
29. Splunk Power User Status
Recommendation: 1power-user pergroup
29
Splunk
Power User(s)
Using
Splunk
Splunk
Administration
Searching and
Reporting
Creating
Knowledge
Objects
Advanced
Searching &
Reporting
Developing
Apps with
Splunk
Developing
with Splunk
SDKs
• Web
• Anurag D.
• Security
• Josh H.
• Infrastructure
• Mike G.
= Splunk training completed= Required = Optional = Training required but not completed = Optional training not completed
Responsibilities
• Works with their group to identify opportunities where Splunk can provide value
• Collaborates with the Splunk admin(s) to add new data sources to address their requirements
• Provides basic support for new and existing reports and dashboards to their group
30. Map Your Roles & Highlight Training Gaps
30
Splunk Admin
#name
Splunk
Developer
#name
Security
Power User
#name
Collaboration
Power User
#name
Database
Power User
#name
CRM
Power User
#name
Network
Power User
#name
Financial Apps
Power User
#name
Splunk Architect
#name
= Fully Trained = Partially Trained = Not assigned
Web
Power User
#name
Server
Power User
#name
Your Company
32. Position Value in
Expansion Area
Taking it to the Next Level
Value Opportunity:
• faster detection,
• faster investigation,
• faster root cause
analysis of application
incidents
• fewer developer
escalation
After 3 to 6
months
After 3 to 6
months
Document Success for
Server & Network teams
Document Success for
App & DB teams
Position Value in
Expansion Area
Application
Development
Value Opportunity:
• faster test analysis,
• faster investigation of pre-
production bugs,
• faster releases cycles
Position Value in
Expansion Area
Security &
Compliance
Value Opportunity:
• faster detection, faster triage,
• faster investigation of security incidents
Value Realized:
• faster detection,
• faster investigation,
• faster root cause
analysis of system
incidents
IT Operations
Application
Support
33. Best Practices for Documenting & Positioning Value
Taking your Splunk deployment to the next level
4
Measure and
Track Your
Success
1
Align with Key
Business
Objectives
Qualify and
Quantify
Business Value
2 3
Incremental
Steps with a Big
Picture Plan
34. Ask Me or Your Account Team For…
• The Interactive Value Assessment
(IVA) model
• Usage adoption maturity templates
• Splunk staff readiness templates
• Splunk common benefits and
benchmarks
Your process requires it
85% of investments over 50,000 USD require a formal business case (IDC)
Create or maintain visibility to Splunk’s strategic importance
Prioritize Splunk investment over other projects
Facilitate continued support and resources (FTE, maintenance, etc)
Ease approval of future resource requests
People, infrastructure, Splunk license, professional services
Supporting renewals; staff departures
Eliminate any doubt of Splunk’s value to your organization
Help Other Succeed in your organization
If they understand what you’ve done and what value you’ve received, they can do the same thing
Promote yourself or your team
Show your success to help promote your people and your own accomplishments
You all know what a great platform Splunk is. So if it’s so great, why does our team exist?
Well…Users love Splunk and clearly understand the value it delivers to them operationally, but they struggle with articulating it to their senior management in business terms. This leaves executives asking what THEY get from Splunk. They understand their people love it, but can’t put dollars, euros, yuan, or yen on it easily.
The Value that Splunk brings to the business is a hidden gem for most executives. When they are able to understand the business value it delivers for them, in most cases it’s priceless.
Reduce/avoid downtime
Gain control over costs, capacity, user experience
User and usage analytics to support real-time business decision-making
Real-time and historical data analysis for trending and pattern detection