SplunkLive! makes for revealing IT management showcase
The first customer speaker of the day gave a frank assessment of his organization’s implementation (“the on-premises solution, we struggled with it…”) and his frustrations with the licensing model. You have to give Splunk credit for having enough confidence in its offerings to showcase such a kick-off case study.
Another customer whose Splunk implementation started with IT managers said he used to get “weird looks” from colleagues in finance and operations when it was suggested they use Splunk, too. And another customer who spoke at the event joked that “Get Drunk with Splunk” was one possible tagline for its use of the product that wound up on the cutting room floor.
MORE: Take-aways from Splunk .conf2015
San Francisco-based Splunk, which dared to trot out a Denver Broncos data analysis example in the heart of New England Patriots country, has grown over its 13 years into a $670M company with scads of big name customers like Coca Cola and partners such as Amazon Web Services and EMC in large part to being open to whatever works. Yes, its product started as an IT management and log analysis tool, but is now used just as commonly for gathering and analyzing security information, and increasingly by business analysts and those keeping tabs on the sprawling Internet of Things. Splunk’s heaviest user processes 1.6 petabytes of data per day.
The company refers to its products, which come in on-premises and cloud versions, as “operational intelligence” platforms.
Nate McKervey, director of technical marketing at Splunk -- and a Splunk user before he joined the vendor -- says the company is addressing customer needs “in the midst of a data revolution.” Whereas traditional tools encouraged customers to keep only data that they figured they’d need, Splunk enables them to build schema on the fly to answers questions that hadn’t occurred to them when the raw information was ingested. All data is relevant to security, for example, he says. Among the case studies he cited was a bank that used Splunk to help sniff out where stolen ATM cards were being used, based on their use at locations too geographically separated to have been visited by the same person within short time spans.
Jigar Kadakia, chief information security and privacy officer at Partners Healthcare, discussed his organization’s efforts to maximize its use of existing security tools and expand use of Splunk to aggregate log management -- all while rolling out a major electronic health record system. Splunk has been invaluable for, among other things, gathering information on and investigating four breaches that have been publicly identified over the past year, he said.
Kadakia acknowledged right away that the Splunk implementation hasn’t gone smoothly, but he’s optimistic it is on the track now and that Partners will eventually be able to use Splunk for more advanced purposes, including business intelligence and analytics dashboards that will improve operations on the clinical and ER sides. Partners is even looking to co-develop modules with Splunk that could be given back to the community (and perhaps save organizations from having to fork over big bucks to third-parties for such modules).
Among the issues Partners encountered was Splunk software not playing nicely with
EMC hardware despite assurances from both vendors, and that took about six months to sort out (Kadakia wishes that Splunk’s cloud-based offerings were further along a couple of years back when his group adopted Splunk, but instead Partners went with an on-premises version better able to handle its processing needs.). Kadakia also urged Splunk to rethink its licensing model to accommodate realistic enterprise use of the software given exploding data growth (“the more you consume, the more you pay approach is frustrating for me”); he suggested a tiered model based on the number of users.
A more general piece of advice shared by Kadakia regarding tools like those from Splunk that collect oodles of machine data for the analyzing pleasure of employees is that certain skills are really needed to make sense of the data regardless of how nice the dashboards look. “People can’t sit around all day and look at dashboards,” he said, noting that what often happens is that employees have to squeeze the data analysis in between their real job duties. Hiring dedicated statisticians or people with true analytical capabilities is worth considering as part of any such project – not that such people are easy to find, he said.
Dunkin’ Brands’ Matt Kraft, director of application development and consumer technology, said regular proclamations by the coffee and donut company’s CEO about the next big mobile app capability keep the IT team on its toes. Dunkin’, which this week went live with mobile ordering, now has 4.5 million Perks Rewards loyalty members – and that adds up to loads of data that that the company uses to make important decisions.
Dunkin’, which installed an on-prem version of Splunk at the urging of its security team, takes an approach of “index everything” when it comes to the data it collects under the assumption you never know what you might need it for, Kraft says (Dunkin’s enterprise license supports 100GB of ingested data). The company started using Splunk for basic IT operations data, such as server health and application monitoring, but has come to rely on the software increasingly for gaining visibility into consumer behavior, ranging from loyalty program password problems to marketing campaign adoption to fraud. One example: Keeping an eye on how many customers were using Apple Pay under one promotion that gave them bonus rewards from a finite pool of money.
More business-facing dashboards will be developed using Splunk going forward, and this includes tracking how online ordering goes, Kraft said. Doing so with traditional BI tools would be much more challenging, he said. While Dunkin’ has already seen data research requests to engineers drop to nearly zero, the company is giving even more thought now to how it actually logs data so that queries are easier to build in Splunk, Kraft added.
A recurring theme among Splunk customers is the product’s flexibility. Jake McAleer, senior manager for IT security at Athenahealth, says flexibility is key for the Watertown, Mass.-based provider of web-based portals for doctors’ offices and hospitals because so much of what it does is customized.
“Because we’re a custom-developed application we don’t necessarily have a framework for consuming logs,” he said. “A lot of the stuff that’s out there is specifically designed to say ‘I’m looking for a domain controller log, I know specifically what to look for’.”
Furthermore, he said Splunk makes it easy to give users access without giving them carte blanche, and he said the software is forgiving when DevOps makes changes to apps. "It's not the end of the world" to rejigger things, he said.
Athenahealth uses Splunk Enterprise Security regularly to consume anti-malware, anti-virus and other logs, and users employ the tool to check for patterns and craft alerts related to high value targets. The company consumes just below 400GB of data a day under its license, and has a goal of keeping 2 years’ worth of data searchable by Splunk.
A Splunk rep boasted in an event warm-up video that "There’s no place to have more fun in Las Vegas than the Splunk conference, am I right" That sounds like a stretch, but based on the mini-Boston edition, the company's next big customer event in Orlando in September could be worth the trip.