Splunk is a “Daily Driven” Hypercar – Make Sure You Maintain it!

Posted: May 20, 2019
Category: Splunk

In the world of automobiles, hypercars are reserved for only the top one percent of cars and are specifically designed to push the boundaries of performance and technology. But the effectiveness of those characteristics can’t be preserved without the performance of regular maintenance and inspections. In the world of data analytics platforms, Splunk is a hypercar, and the mentality of regular maintenance to maintain effectiveness (generally called a “health check”) is no different.

Before a health check is performed on Splunk, three key questions should be asked:

  • How often should it be performed?
  • What is the health check looking for?
  • Who can do the work?

The answer to all of those is (of course), “It depends.” Let’s take the timing question first. We advise that the Splunk infrastructure be inspected at roughly the same interval as the recommended maintenance schedule of a hypercar, which is twice a year. Even though Splunk is more like a “daily driven” hypercar (it is collecting and processing data almost constantly), twice a year is generally sufficient to find any problems and to create a remediation plan in a typical environment.

However, that advice comes with a caveat. If you are putting more miles on the car – maybe you’re letting your friends drive it or you are taking your car on the race track a lot – then you need to check things out more often. The same thing is true with Splunk. We have found that most Splunk implementations grow organically and rapidly.  It may start with a business use case in either technology infrastructure or security, but then it quickly expands into multiple groups and organizations to provide additional visibility and analytics.  As adoption grows, the Splunk infrastructure must expand as well. Such acceleration can be difficult to control, and a more frequent health check may need to be scheduled to ensure peak stability and performance.

Now let’s look at both of the last two questions at the same time. As the owner of the hypercar owner can perform common maintenance tasks (checking your gauges, refueling, changing the windshield wipers, washing the car, etc.), there are maintenance tasks that you can – and should – perform as the Splunk environment owner. The following are a few simple and straight-forward tasks that can help keep a clean and healthy environment:

However, just as hypercar maintenance should be performed by expert technicians, a full Splunk health check should performed by expert engineers. An experienced Splunk engineer will know how to check the deeper issues and head off major problem. Some of the most common issues discovered in Splunk health checks are:

  • compliance to the Common Information Model (necessary for premium offerings like Enterprise Security, IT Service Intelligence, and User Behavior Analytics)
  • inconsistent data onboarding standards (can limit analytical effectiveness)
  • limitations imposed by the architecture, hardware, or other configurations (can significantly restrain the potential performance of the existing implementation)

If you haven’t had a health check performed on your Splunk environment in a while, we highly recommend you consider getting that done soon. Without those checks being performed on a regular basis, you will run into major issues that affect your Splunk performance. That is especially true if usage is expanding in your environment.

***

At Set Solutions, we can review every aspect of the platform, advises of any errors, issues, or recommendations. And we can typically complete it in 3-5 days (depending on the size of the organization). Our Splunk engineers have built, improved, and maintained Splunk implementations in some of the largest enterprises in the world.

If you are interested in talking to us about performing a Splunk Health Check in your environment, please reach out to us.

****

This blog was written by John Owen, Senior Security Consultant at Set Solutions