Splunk® Center of Excellence

Splunk Center of Excellence Handbook

Download manual as PDF

Download topic as PDF

Use Case and Data Lifecycle

Getting data into your Splunk deployment is just the beginning. To get the greatest value from your data, it must be defined in a use case and validated, and your users engaged.

The Splunk CoE offers a five-step data onboarding workflow for every incoming data request. The activities in the Use Case and Data Lifecycle service area follow these steps to define responsibilities and tasks, gather requirements, validate use cases, and retire use cases that are no longer needed.

Activity Matrix for Use Case and Data Lifecycle

Build these activities into your implementation plan according to Good, Better, or Best depending on whether you are implementing Splunk software as a solution, a service, or a strategy.

Activities Good Better Best


Processes to bring requests for new use cases or data sources to your team's attention and to track and prioritize them among other requests.

Accept ad-hoc requests (for example, email, chat, voice).

Utilize the Request Workflow for Splunk app (see Ticketing/workflow system on Splunkbase)

Establish cost chargeback estimates for budget owner (see In depth: Showback plan for the Splunk CoE


Guidelines to determine where to place line breaks and timestamps on incoming data and to identify the intended use case or value of the data.

Establish a process for defining baseline data that uses learned source types and little or no source data optimization

Establish a process for defining technical data that includes the following:

  • Defined source types (discover an existing add-on or create a new one)
  • Target index(es)
  • Data sensitivity searches, including personally identifiable information
  • End-user needs and outcomes
  • Field and value extractions
  • Generated knowledge objects, dashboards, and alerts

Everything achieved in Better

Establish a process for defining value-oriented data

  • Normalize fields with a common information model
  • Define tags
  • Develop a corporate information model
  • Consider license and storage impact
  • Identify business priority
  • Reuse data and knowledge objects for other use cases


Processes to carry out the Splunk configuration and to engage the requestor in the implementation process.

Deploy technical add-ons that support getting data in

Create a deployment server class that includes search, index, and forwarding and data collection tiers

Everything achieved in Good

Establish initial use case requirements

Apply naming conventions to knowledge objects (see In depth: Naming conventions for the Splunk CoE)

Utilize the app builder for custom components

Everything achieved in Better

Create a lab environment for developing system and test automation


Processes to verify that the use case meets the requester's expectations and needs, and to enable the requester to communicate feedback.

Validate reactively: requester validates the work after it is completed

Validate proactively: requester validates the work at regular intervals during development

Validate demonstratively: requester validates the work in real-time from a hands-on demonstration of the use case (knowledge objects, data, etc.)


Structures to inform the requester that the related work is completed and to enable others to learn about it.

Communicate with individuals that the work is completed

Everything achieved in Good

Announce to the community that the work is completed

Everything achieved in Better

Share final showback calculations with the requester

Track and communicate the business value of use cases to executive stakeholders


Processes to maintain Splunk knowledge objects and to remove them and their data sources when a use case is no longer needed.

Monitor the ongoing need of use cases individually

Stop indexing, generating, or forwarding the data when it is no longer needed

Everything achieved in Good

Establish a process for regularly evaluating the need for use cases

Establish a process for users to request that a use case be retired

Establish a process for retiring use cases that includes disabling knowledge objects, purging unnecessary data, and disabling server class(es) on the search, index, and forwarder and data collection tiers

Everything achieved in Better

Remove the use case from showback system

For more about data onboarding best practices, see In Depth: Data Onboarding Workflow for the Splunk CoE.

Program Management and Value Realization
User and Team Lifecycle

This documentation applies to the following versions of Splunk® Center of Excellence: current

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters