Taking Splunk to the Next Level - Manager

Copyright © 2016 Splunk, Inc.
Taking Splunk to the
Next Level for Management
Mark Ovenden
Manager, Business Value Consulting
movenden@splunk.com
May, 2016

Agenda for Today’s Session
2
2 Overview of Key Value Drivers
3 Best Practices for Positioning Value
4 Summary / Q&A
1 Business Value at Splunk

Help customers document the projected and already
realized business value of making machine data accessible,
usable, and valuable for everyone
Common Deliverables:
› CFO-Ready Business Case
› Value Realization Studies
› Usage Maturity & Staffing Readiness
› Enterprise Adoption Roadmaps
› Customer and Industry Benchmarks
700+
Engagements
Worldwide
Since 2013
Business Value Consulting at Splunk

Splunk should not be a Hidden Gem
4
I was never
able to do
this before!
I can search
Syslog way faster
now!
What business
value do I get?

Top Challenges to Documenting Value
ToolsData
Lack of Tools to
Make Value
Measurement Easy
x
Lack of Splunk and
Industry
Benchmarks
x
Not Enough Time
to Assess Your
Value
x
Time

Overview of Traditional Value Drivers
Based on FY16Q3 activity
Security,
Compliance
IT
Operations
Application
Delivery
Common Value Drivers as reported by Splunk Customers

IT Operational Analytics (ITOA)
An overview of Splunk efficiencies and Most Common Data Sources
as reported by Splunk Customers
IT
Operations
NOC, Server, Storage, Network Admins, DBA, Middleware, Application Support Teams

TOP 4 Use Cases for ITOA
Root Cause
Analysis
Up to 30% unknown
root causes, causing
incidents to recur
Incident
Troubleshooting
Lengthy log analysis done manual
Incident
Triage
All hands on deck,
taking up 30 to 40
minutes
Failure
detection
Customer often
informs IT
Before
Splunk
Service
Restoration
Fix is
implemented
#4 Faster and more
comprehensive
root cause analysis
helping to reduce
incident recurrence
#3 Faster investigation (MTTI)
through rapid log search and
correlation conducted in
conjunction by different teams
(everyone looks at the same data)
#2 Faster triage
often conducted
by 1st level staff
without all hands
on deck
#1 Better
detection
customer is
notified by IT
With
Splunk
Fix is
implemented
Event Mgmt Incident Mgmt Problem Mgmt

Benchmarking Splunk Customer Success
Documented through 700+ engagements worldwide
Reduced Sev1 and Sev2
incidents by 43%
Reduced MTTR by 95% and
reduce escalations by 50%
Improved API performance
by 50% reducing need for
infrastructure upgrades and
increasing user satisfaction
15-45% reduction in high priority incidents
70-90% reduction in incident investigation time
67-82% reduction in business impact
5-20% increase in infrastructure capacity utilization
Customer Feedback
IT Operations Analytics (ITOA)

Network Server & Storage
• SNMP
• DHCP
• Firewall
• Load Balancer
• Network Switches
• Network Routers
(cisco_cdr, cisco:asa,
cisco_syslog,
clavister)
• Netflow
• Proxies
Application
• OS Logs (ntsyslog, snare, dhcpd,
linux_secure, aix_secure, osx_secure,
syslog, PERFMON:CPUTime,
PERFMON:FreeDiskSpace, Win:Event, etc.)
• VMWare server logs
• AWS Logs (CloudTrail, CloudWatch,
Config, S3, etc.)
• MS Azure Logs (WADEventLogs,
WADPerformanceCounter,
WADDiagnostInfrastructure, etc.)
• Backup logs
• Storage logs
Common Data Sources
Middleware & Database
• Java – J2EE (log4J, JMS, MQ, TibcoEMS,
HornetQ, RabbitMQ, Native JMS, Weblogic
JMS, etc.)
• Middleware (Tibco, Software AG etc.)
• Web Server (access_combined,
access_combined_wcookie,
access_common, apache_error, iis, nginx,
etc.)
• Application Server (log4j, log4php,
weblogic_stdout, websphere_activity,
websphere_core, websphere_trlog, etc.)
• Mobile Devices
• Database error logs
• Application Error Logs
• Application
Performance and Usage
Logs
• Application
Authentication Logs
• Business Process Logs
(Payments status, batch
upload status, customer
order status, etc.)
• Mail Server Logs
IT Operations Analytics (ITOA)

Application Delivery
Application
Delivery
Developers, Testers, Project Managers AND DBAs, Middleware, Application Support Teams

TOP 6 Use Cases for Application Delivery
typical
SDLC
#4 Faster delivery of
dashboards provide real-time
visibility across all technology
layers involved in processing
business service transactions so
bottlenecks can be swiftly
identified and addressed
#5 Faster Mean Time to Market
on key projects through faster test
failure analysis and defect remediation
#6 Increased release value
through improved visibility on feature
efficiency patterns in order to better
assess needs for future releases
#2 Faster pre-production
defect remediation through
improved investigation of root
causes
#1 Faster test failure analysis
for functional, performance and
security test runs through analysis
of test logs
#3 Fewer escalations to
developers from fewer production
outages means developers are more
focused on innovating the business

Shortened development
cycles by 30%
Reduced reporting time
by 88%
Increased release cycles by
8x with no additional staff
Customer Feedback
80-90% faster development of reports and dashboards
70-90% reduction in time for QA test failure analysis
70-90% reduction in time for pre-prod defect investigation
10-50% improvement in time to market

SDLC
Common Data Sources
• Java – J2EE (log4J, JMS, MQ, TibcoEMS,
HornetQ, RabbitMQ, Native JMS, Weblogic
JMS, etc.)
access_combined_wcookie, access_common,
apache_error, iis, nginx, etc.)
websphere_core, websphere_trlog, etc.)
• Mobile Devices
• Performance Test Logs
• Functional Test Logs
• Security Test Logs
• Debug Logs
• Release Error Logs
• Code Management Logs
Application
• Apache Web Logs
• Application Performance Logs
• Application Authentication Logs
• Business Process Logs (Payments
status, batch upload status, customer
order status, etc.)

Security and Compliance
Security,
Compliance
Security Analysts, SOC, Compliance, Audit teams

Assess
Risk
Deep
Analysis
Monitor
Controls
Audit &
Comply
TOP 4 Use Cases for Security & Compliance
#4 Continuous compliance on
ALL components and policies
resulting in faster and simpler audits
#3 Faster implementation of critical
security controls (ex: CIS Top 20) across ALL
layers of the organization, ultimately resulting in
full enterprise visibility and a reduction in risks
#2 Faster deep dive investigation
on security incidents that require further
proactive and reactive analysis
#1 Faster 1st level triage on ALL security
attacks with less resources as opposed to
reviewing only a subset of attacks
Web Threats
Mobile & IOT Vulnerabilities
Scams & Social Media
Targeted Attacks
Data Breaches
E-Crime & Malware

Security, Compliance & Fraud
70-90% faster detection and triage of security events
70-90% faster investigation of security incidents
70-90% reduction in compliance reporting time
10-50% reduction in risk of data breach, IP theft, fraud
Customer Feedback
Reduced effort on security staff
tasks saving more than
$500,000 per year
Reduced fraud & abuse by
50% converting fraudulent
users to paying customers
Reduced compliance reporting
time by over 80% for SOX,
SAS-70 and PCI
a SaaS company

Security, Compliance & Fraud
Common Data Sources
Network, Server & Storage
• SNMP
• Wire Data
• DHCP
• Firewall
• FTP Logs
• IDS Logs
• Network Access
Control
• File access control
• Network Switches
• Network Routers
Application & User
• Wireless Network logs
• Netflow
• Proxies
• OS Logs (ntsyslog, snare,
dhcpd, linux_secure,
aix_secure, osx_secure,
syslog, Win:Event, etc.)
• Patch Logs
• VMWare server logs
• AWS Logs (CloudTrail,
CloudWatch, Config, etc.)
• Storage logs
• Java – J2EE (log4J, JMS, MQ,
TibcoEMS, HornetQ, RabbitMQ, Native
JMS, Weblogic JMS, etc.)
access_combined_wcookie,
access_common, apache_error, iis,
nginx, etc.)
websphere_core, websphere_trlog,
etc.)
• Malware protection logs
• Endpoint activity
• App. Authentication Logs
• Vulnerability Scanning
• Active Directory
• LDAP, VPN
• SDLC Security Test Logs
• Mobile Devices
• Physical Card Reader Logs
Other
• Threat Lists
• OS Blacklist
• IP blacklists
• Restricted
ports and
protocols
• Vulnerability
Lists
• Social Media
Feeds
• Training Logs

Splunk Security & Compliance Best Practices
RefertotheSplunkCIS20whitepaperfor
detailedusecasesandexamplesofhow
customersuseSplunktoachievethe
anticipatedimprovementswith:
FasterDetectionofSecurityEvents
FasterResearchandInvestigation
ReducedRiskswithDataBreachandFraud

Best Practices for Positioning Value
Based on FY16Q3 activity
Applies to All Types of Use Cases
Security,
Compliance,
and Fraud
IT
Operations
Application
Delivery
Traditional Use Cases
Business
Analytics
Industrial Data
and the
Internet of Things
Vertical Use Cases

Best Practices for Positioning Value
41 3
Quantify
business
value
Qualify
current
pain points
2
Taking your Splunk Deployment to the Next Level
Align
with key
objectives
Measure
your
success

Steps to Aligning with key objectives
• Align your project with something strategic
• Take a top-down approach
• Find an executive sponsor
• Link your plan to Top-5 key objectives
• Explain how Splunk aligns to these objectives
• Use the Splunk Value Benchmarks to help you
1
Align
with key
objectives

Common IT Goals Achieved with Splunk
Infrastructure cost
avoidance through
improved capacity
management
Future headcount
avoidance
Tools consolidation
Optimization of
business processes
Labor savings with
common IT
processes
Faster incident
investigation and
root cause analysis
Proactive
automation of key
business processes
Better visibility &
reporting
Avoid revenue
impact from fewer
critical outages
Faster delivery of
real-time business
analytics
Improved
innovation value for
key business
initiatives
Faster test failure
analysis
Faster remediation
of bugs and defects
Fewer developer
disruptions
Faster, more robust
code deployments
Minimize business
disruptions
Improved & more
consistent SLA’s
More reliable
business services
leads to better
brand
Faster response to
customer
requirements
Better detection of
cyber attacks
Faster response to
security incidents
Continuous
compliance
monitoring
Reduction in risk for
data breach, fraud
and IP theft
Reduce/Avoid
Business
Expenditures
Improve
Internal
Efficiencies
Increase
Revenue
Accelerate
Time to
Market
Improve
Business
Services
Continuously
Secure the
Environment

Steps to Qualifying Pain Points
• Identify common issues and roadblocks
• What’s hindering your key objectives
• Document why something should change
• Describe the current challenges and pain points
• Describe the desired state
Qualify
current
pain points
2

Example of Challenges and Pain Points
Production Support
– Complex layers of technology stack
– Complex flow of data and calls across each
layer
– Lack of end to end visibility on data flow
– Unclear customer impact during incidents
– Lengthy manual investigation of logs cause
longer outages
– Investigation delays prevent real-time
collaboration across teams
– Developer escalations required to assist
with production issues
– Intermittent errors go unresolved for years
Application Releases
– Lengthy manual investigation to address
release errors
– Impossible to gain real-time collaboration
between support staff and developers
– Often unclear whether errors are caused
by code or infrastructure
– Not enough time during change windows
to fix errors
– Releases at risk due to slow determination
of errors
– Business can be impacted by 30-day
release delays if release is backed out

Production Support
– Complete visibility of data flow across
all layers
– Quickly isolate the particular area in the
stack that is causing issues
– Real-time collaboration between teams
during incident response
– Reduce MTTR associated with
production incidents with rapid log analysis
– Faster RCA analysis of problems to reduce
recurring incidents
– Reduce business impact with fewer and
shorter incidents
Application Releases
– Accelerate investigation of functional
and performance defects
– Real-time collaboration between teams
during release errors
– Avoid release rollback through faster
investigation of release errors
– Deliver faster time to value on key
business projects
Example of Desired End-State Vision

Steps to Quantifying Business Value
• Collect internal Key Performance Metrics
• Leverage External Benchmarks to fill in the gaps
• Use Splunk Customer Benchmarks to guide your
efficiency calculations
• Business cases are not an exact science, don’t worry
about being too meticulous
• Keep it conservative!
3
Quantify
business
value

Key Performance Metrics that Drive Value
IT OPERATIONS
› # of sev1, sev2, sev3 incidents per month
› avg MTTR per Incident by severity
› # people involved in Incident investigation
› $ per hour of business impact
› % incidents requiring post incident reviews
› # hours for root cause analysis per incident
› # servers (physical + virtual)
› % servers virtualized
› $ cost per physical vs. virtual server
APP DELIVERY
› # developers
› % developer time spent troubleshooting
› # request for dashboards and reports per month
› # people to develop dashboards and reports
› # large, medium, small project releases per year
› $ business value per project release
› # months from project kick-off to prod release
› # test runs conducted per month
› # pre-prod defects investigated per month
SECURITY & COMPLIANCE
› # of security alerts per week
› # people for 1st first level triage
› avg time to triage an alert
› # security incidents per week
› # people involved per incident
› # sensitive records
› $ business fraud per year
› # audit activities per year
› # people hours per audit activity
Less than 10 KPIs per Value Center

Quantifying Value with Splunk Tools
Financial Analysis Made Easy
– Over 50 Value Calculators
– Driven by Actual Customer Results
– Complete Financial Analysis
– Best Practice TCO Models
Don’t Forget
– Follow the Impact
– Capture All the Value
– Summarize and Socialize
WEB and Excel versionIVA – Interactive Value Assessment

Financial Metrics – Value Dashboard
 Value Realized
 Use Case Gaps
 Additional Value
 Detailed Use Cases
 Benefit Calculations
 Adoption Speed
 Investment Details
 ROI Analysis
 CFO Metrics

Financial Metrics – Adoption Rates
 Value Realized
 Use Case Gaps
 Adoption Speed
 ROI Analysis
 CFO Metrics

Financial Metrics – Use Cases
 Value Realized
 Use Case Gaps
 Adoption Speed
 ROI Analysis
 CFO Metrics

Financial Metrics – Detailed Calculations
 Value Realized
 Use Case Gaps
 Adoption Speed
 ROI Analysis
 CFO Metrics
Splunk helps us avoid incidents, and the
corresponding effort of managing them,
with 3 key capabilities. First, by providing
alerts to conditions that indicate a
problem is coming. Second, through
dashboards that provide visual
representations of health. And lastly, by
delivering greater root cause analysis.

Financial Metrics
 Value Realized
 Use Case Gaps
 Adoption Speed
 ROI Analysis
 CFO Metrics
Investment should account for:
 Software
 Maintenance
 Infrastructure
 Services
 Training
 Advisory Services

***BECOMES***
The Impact of Documenting Value
“We can search syslog and we could never do that before”
35
“We’ve reduced downtime by more than 50% and we’ve captured
11,500 hours/year of efficiencies that have been reallocated to
higher value work across the organization, generating $1.95M
value/year”

Steps to Measuring your Success
• Leverage the use cases identified in the IVA as the
benchmark for tracking and validating your success
• Identify your Top-3 success stories
• Interview power users for each success story
• Describe specific challenges that existed prior to Splunk
• Explain the impact to your organization
• Socialize your successes
4
Measure
your
success

Interview your Power Users
With Splunk
1. How did Splunk help us address this scenario?
2. How fast were we able to implement a solution
with Splunk?
3. Are we able to detect or isolate circumstances
that were previously unnoticed or impossible
to find?
4. How often has this type of scenario surfaced
since Splunk has been in place?
Before | After Questions for each Success Story
Before Splunk
1. How often did this type of scenario occur, how long
did it take to resolve and how many people were
required?
2. What challenges did we face handling this type of
scenario before Splunk?
3. Did we have to do any manual work?
4. Did we invest in infrastructure or other resources to
address this before Splunk?
5. Did this cause direct financial impact?
6. Was customer service or customer loyalty affected?
7. How did this impact end-user productivity?
8. Did it affect our brand negatively, i.e. bad press or
negative social media hits?
5. How faster are we able to respond?
6. Has this freed a % of our staff time to focus on other
more important tasks?
7. Was this possible before Splunk?
8. Can we provide a dashboard screenshot?

Socialize your Top Value Use Cases
Constant cycle of email interruptions impacted the faculty for 1+ year Mail – Blacklist Reduced by 92%
Examples of a Customer Success Story

Plan your Splunk Staffing Roles
A successful and scalable deployment of
Splunk relies on the orchestration of key
roles and responsibilities, primarily
centered around:
 Architecture
 Administration
 User adoption (Power User)
 Application development
Be sure you have the staff and skills to maximize value

Splunk Roles & Recommended Training
Splunk
Roles
Using
Splunk
Splunk
Administration
Searching
and
Reporting
Creating
Knowledge
Objects
Advanced
Searching &
Reporting
Developing
Apps with
Splunk
Developing
with Splunk
SDKs
Architect Required Required Optional Optional Optional Optional Optional
Admin Required Required Optional Optional
Power User Required Required Required Optional
Developer Required Optional Required Required Optional Required Optional
for Splunk on-premises

Splunk Roles & Recommended Training
for Splunk Cloud
Splunk
Roles
Using
Splunk
Splunk
Administration
Searching
and
Reporting
Creating
Knowledge
Objects
Advanced
Searching &
Reporting
Developing
Apps with
Splunk
Developing
with Splunk
SDKs
Architect Required Optional Optional Optional Optional Optional
Admin Required Optional Optional
Power User Required Required Required Optional
Developer Required Required Required Optional Required Optional

Map Your Roles & Highlight Training Gaps
Splunk Admin
#name
Splunk
Developer
#name
Security
Power User
#name
Collaboration
Power User
#name
Database
Power User
#name
CRM
Power User
#name
Network
Power User
#name
Financial
Apps
Power User
#name
Splunk
Architect
#name
= Fully Trained = Partially Trained = Not assigned
Web
Power User
#name
Server
Power User
#name
Your Company

Understand your Data Sources
Groups
Use
Cases
Data
How does my data
overlap across
different groups?
How much of it is
already indexed?
more use cases = more value
from your current data
Are my current users
benefiting from all the
possible use cases?
What else could they
be doing?
Can other groups
leverage the data
already indexed?
How could they benefit
from this data?
What data exists in my
environment?
How much of it is
indexed?

Data Source Assessment Tool
• Identify areas where additional value
can be realized with existing data
• Identify missing data sources required
to achieve specific use cases
• Plan for better value realization by
understanding data overlap indicators

Quantified
Benefits
Drill Down
Use Cases
Success
Stories
Alignment
with Key
Goals
Current Pain
Points
Desired
End State
Investment
Schedule
Financial
Performance
Training
Plan
Data Source
Mapping
KPIs to Track
your Success
 Covered by Free Splunk Value Tools
  
 

 

Bring it all together!

Common Questions
Can I get a copy of the IVA and TCO tools?
Can you assist me with a value assessment?
Can you help us better understand our data sources?
YES!
Get in touch with your
sales rep to schedule
time with your sales
support team
YES!
Send us an email at
value@splunk.com
Can I get a copy of this Presentation?
Can I get a copy of the CIS 20 Security Whitepaper?

Copyright © 2016 Splunk, Inc.47
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
#splunkconf2016

Questions?
Thankyou!

Taking Splunk to the Next Level - Manager

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Taking Splunk to the Next Level - Manager

Similar to Taking Splunk to the Next Level - Manager (20)

More from Splunk

More from Splunk (20)

Recently uploaded

Recently uploaded (20)

Taking Splunk to the Next Level - Manager

Editor's Notes