Splunk® Success Framework

Splunk Success Framework Handbook

Download manual as PDF

Download topic as PDF

Operating framework best practices for a Splunk deployment

An operating framework provides structure for how you set up and manage your Splunk implementation.

Choose an operating model

You can organize your Splunk implementation a number of ways, depending on how you want to manage your resources. This topic outlines three possible approaches: centralized, federated, and a hybrid of both.

Federated model

With a federated model, teams operate their own independent Splunk deployments and projects. Program management provides best practice guidance and a forum for meetings to keep them coordinated. Each team can manage its own deployment architecture and operations.

You can store event data on separate indexers.

Federated model advantages Challenges
  • Teams can manage their infrastructure independently under a common set of standards
  • Scaling is more modular, and easier to plan and execute
  • Good for large organizations
  • Isolates "noisy neighbors"
  • Changes by one team have less risk of impacting other teams
  • Flexible infrastructure deployment options
  • Requires more coordination from the program manager
  • More complex to set up and manage
  • Managing deployment-wide search concurrency is more complex

Centralized model

A centralized model concentrates Splunk engineering (hardware and people) into a central team with a single Splunk deployment. A majority or the entirety of event data is stored on a common set of indexers, and users access a common search head or search head cluster.

Centralized model advantages Challenges
  • Good for small deployments
  • Data is easily accessible and shared
  • Faster to get started and simple to set up
  • Allows for quick growth
  • Easier to manage deployment-wide search concurrency
  • Requires the least hardware
  • Requires effort to scale as more groups adopt Splunk and the number of use cases/number of users grows
  • "Noisy neighbors" can slow the system down

Hybrid model

A hybrid model is a mix of both centralized and federated, where a critical mass of the Splunk activity is within a central team. Satellite deployments can exist outside of the central team. You can set up dedicated indexers and search head(s) for a use case or department, and the search heads may have the ability to search other deployments.

Hybrid model advantages Challenges
  • Less complex to manage
  • A centralized team can still manage smaller groups or business units
  • A centralized operations team can provide Splunk as a Service
  • Federated customer teams can meet scale demands
  • Requires coordination for federated resources
  • The Operations team must be prepared to operate a large Splunk deployment
  • Requires the most hardware

Identify the program manager

It is important to identify someone who is responsible to fulfill the program manager role, someone who has clear authority to manage operations for your entire Splunk implementation. The program manager role performs one of the most crucial functions on your team.

Program managers fulfill the following responsibilities:

  • Drive decision-making
  • Manage inter-dependencies between Success Framework pillars
  • Ensure the Splunk implementation plan aligns with business objectives
  • Oversee Splunk success measurements
  • Is accountable for return on investment
  • Promotes and facilitates program-wide communication
  • Supports initiatives for knowledge sharing and collaboration
  • Ensures executive alignment

For more information, see Roles best practices.

Post a service catalog

If you are providing Splunk as a service, you can post a catalog of Splunk-related services and processes for your user community. A service catalog communicates to your community the services you offer, and indicates how they can engage with your team. Post your service catalog in a publicly accessible space, such as your team wiki, community, or internal web site.

Define service level objectives and agreements

Service level definitions include service-level objectives (SLOs), service-level agreements (SLAs), and case priorities. For more about creating service-level agreements, see Service-level best practices.

PREVIOUS
Success measurements best practices for a Splunk deployment
  NEXT
About the SSF functional areas

This documentation applies to the following versions of Splunk® Success Framework: ssf


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters