Splunk® Center of Excellence

Splunk Center of Excellence Handbook

Download manual as PDF

Download topic as PDF

Platform Management and Support

Activities in the Platform Management and Support service area establish an optimized Splunk platform architecture and systems for continuity planning, capacity planning, and incident management. Having these systems in place provides the following benefits:

  • Makes your Splunk platform more stable and reliable
  • Lowers the total cost of ownership (TCO) for IT
  • Increases the business value of IT
  • Can save time and money for the whole organization

Activity matrix for Platform Management and Support

Build these activities into your implementation plan according to Good, Better, or Best depending on whether you are implementing Splunk software as a solution, a service, or a strategy.

Activities Good Better Best
EDUCATION

How the Splunk engineering team (not users) stays current on how to use Splunk software.

Self education

Leverage Splunk Documentation

Leverage Splunk Answers

Everything achieved in Good

Splunk education paths by role

Establish a sandboxing practice (see Sandboxing for the Splunk CoE)

Everything achieved in Better

Defined attendance policy for Splunk events

ARCHITECTURE

Optimizations to your platform architecture that support performance and scale.

Deploy software using recommended system requirements

Set up a Splunk lab (see Lab environment for the Splunk CoE)

Everything achieved in Good

Make use of the Splunk Validated Architectures (see Splunk Validated Architectures)

Everything achieved in Better

Deploy a Universal Forwarder as part of the standard OS build (see The Universal Forwarder in the Splunk Forwarder Manual)

CONTINUITY PLANNING

Product features or other solutions that facilitate high availability or disaster recovery scenarios.

Set up data replication (see Data replication in the Splunk Managing Indexers and Clusters of Indexers manual)

Set up a backup policy

Set up system snapshots (see System snapshots) OR virtual migrations

Everything achieved in Good

Set up search head clustering (see About search head clustering in the Splunk Distributed Search manual.

Set up multi-site data replication (see Multisite indexer cluster deployment in the Managing Indexers and Clusters of Indexers manual)

Generate backups of configuration and user knowledge objects (see In depth: Configuration backups for the Splunk CoE)

Everything achieved in Better

Set up automated failover of the utility tier (see In depth: Disaster recovery for the utility tier)

Implement source control for configuration and user knowledge objects (see Configuration backups for the Splunk CoE)

SUPPORT AND INCIDENT MANAGEMENT

Procedures to track and mitigate issues with the Splunk deployment.

Email or vocal request Implement a ticketing system (see the Request workflow for Splunk app on Splunkbase)

Everything achieved in Better

24/7 live help desk

Splunk runbook

CAPACITY MANAGEMENT

Practices to stay informed about resource usage and stay ahead of demand on the Splunk platform.

Use the Splunk monitoring console (see Monitoring console in the Monitoring Splunk Enterprise manual)

Everything achieved in Good

Develop linear usage projection

Everything achieved in Better

Discuss anticipated needs with stakeholders (see In depth: Stakeholder register for the Splunk CoE)

PREVIOUS
Service areas and activities for the Splunk CoE
  NEXT
Program Management and Value Realization

This documentation applies to the following versions of Splunk® Center of Excellence: current


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters