Splunk® Center of Excellence

Splunk Center of Excellence Handbook

Download manual as PDF

Download topic as PDF

Charter for the Splunk CoE

This screen image shows the CoE roadmap, with Foundations areas depicted as part of the baseline event. The text "baseline event in progress" appears next to Foundations areas. The text "you are here" is displayed on the Foundation area Charter.

Defining a Charter helps you allocate resources, clarify expectations, and set overall goals. Creating a Charter is a straightforward process in which you identify the scope and governance structure for your CoE.

Guidelines for defining a Charter

Align goals with available time and resources
Building an ideal Center of Excellence is an ongoing process, and can take several implementation cycles to achieve your ultimate goals. The Charter will help you take logical steps so you can make smart decisions based on your time and resources.
Define a Charter that makes sense for your organization
The Charter considers internal or external factors specific to your organization. You have the option to centralize or de-centralize the CoE in any way that will best take advantage of your organization's resources.

Select a scope: Splunk as a solution, service, or strategy

A scope defines the point and purpose of the CoE's efforts and investments. Select a scope from the three options below.

Mission Objective Maturity Purpose
Splunk as a solution Good Splunk will address use cases for a single team, group, or purpose.
Splunk as a service Better Your Splunk team will provide Splunk-related services for multiple teams, groups, and purposes.
Splunk as a strategy Best Your Splunk team will provide mature services that position Splunk as a competitive differentiator for your business.

Select a governance structure

How you organize your Splunk implementation defines general governance for your CoE. Choose one of the recommended governance models: centralized, federated, and hybrid.

CoE Structure Description
Centralized model Concentrate Splunk engineering (hardware and people) into a central team with a single Splunk deployment.
Federated model Teams operate their own independent Splunk deployments and projects. Program management provides best practice guidance and a forum for meetings to keep them coordinated.
Hybrid model A mix of both centralized and federated where a critical mass of the Splunk activity is within a central team. Satellite deployments exist outside of the central team.

Infrastructure requirements comparison chart

Consider what kind of infrastructure works best with the model you choose. Use the chart below to review the characteristics of each CoE model.

Infrastructure Benefits Challenges
Centralized model
  • A majority or the entirety of event data is stored on a common set of indexers
  • Users access a common search head or search head cluster
  • Good for small deployments
  • Event data is easily accessible and shared
  • Faster to get started and simple to set up
  • Allows for quick growth
  • Easier to manage deployment-wide search concurrency
  • Requires the least hardware
  • Effort is required to scale as more groups adopt Splunk and the number of use cases/number of users grows
  • Impacted by 'noisy neighbors'
  • "Noisy neighbors" can slow the system down
Federated model
  • Architecture may reflect independent operations of each team
  • Event data may be stored on separate pools or clusters of indexers
  • Different search heads may be allocated for users/departments that can access a subset or all of the indexers for search
  • Allows teams to manage their infrastructure independently under a common set of standards
  • Addresses scale issues
  • Good for very large organizations
  • Isolates "noisy neighbors"
  • Changes by one team have less risk of impacting other teams
  • Flexible infrastructure deployment options
  • Requires more coordination from the program manager
  • More complex to set up and manage
  • Managing deployment-wide search concurrency is more complex
Hybrid model
  • Dedicated indexers and search head(s) are set up for a use case or department
  • The search heads may have the ability to search other deployments
  • Simplified chargeback
  • Less complex to manage
  • A centralized team can still manage smaller groups or business units
  • A centralized operations team can provide Splunk as a Service
  • Federated customer teams can meet scale demands
  • Requires coordination for federated resources
  • The Operations team must be prepared to operated a large Splunk deployment
  • Requires the most hardware

Practical partitions of Splunk operations

Splunk operations fall into three practical partitions: program management, customer facing, and operations. These practical partitions help you assess your existing org structure.

Practical partition areas Shared goals and responsibilities Associated Splunk roles
Program management
  • Executive alignment for Splunk as a Service
  • Communication with Splunk stakeholders
  • Project management for Splunk customers and Operations teams
  • Architect
  • Executive sponsor
  • Program manager
  • Project manager
Customer facing
  • Work with consumers on data/user onboarding
  • Act as internal subject matter experts for creating searches and dashboards
  • Consult on customer use cases
  • Provide Help Desk support to end users
  • Run office hours and in-house training
  • Promote best practices to end users
  • Developer
  • Expert user or search expert
  • Knowledge manager
  • Responsible for architecture, deployment, and scaling of Splunk infrastructure
  • Manage day-to-day operation of Splunk instances
  • Perform server-side data onboarding tasks (e.g. set retention policy, access controls, add lookups, etc.)
  • Engineer
  • Knowledge manager
Foundation areas for the Splunk CoE
Executive sponsor for the Splunk CoE

This documentation applies to the following versions of Splunk® Center of Excellence: current

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters