Operating framework best practices for a Splunk deployment
An operating framework provides structure for how you set up and manage your Splunk implementation.
Choose an operating model
You can organize your Splunk implementation a number of ways, depending on how you want to manage your resources. This topic outlines three possible approaches: centralized, federated, and a hybrid of both.
With a federated model, teams operate their own independent Splunk deployments and projects. Program management provides best practice guidance and a forum for meetings to keep them coordinated. Each team can manage its own deployment architecture and operations.
You can store event data on separate indexers.
|Federated model advantages||Challenges|
A centralized model concentrates Splunk engineering (hardware and people) into a central team with a single Splunk deployment. A majority or the entirety of event data is stored on a common set of indexers, and users access a common search head or search head cluster.
|Centralized model advantages||Challenges|
A hybrid model is a mix of both centralized and federated, where a critical mass of the Splunk activity is within a central team. Satellite deployments can exist outside of the central team. You can set up dedicated indexers and search head(s) for a use case or department, and the search heads may have the ability to search other deployments.
|Hybrid model advantages||Challenges|
Identify the program manager
It is important to identify someone who is responsible to fulfill the program manager role, someone who has clear authority to manage operations for your entire Splunk implementation. The program manager role performs one of the most crucial functions on your team.
Program managers fulfill the following responsibilities:
- Drive decision-making
- Manage inter-dependencies between Success Framework pillars
- Ensure the Splunk implementation plan aligns with business objectives
- Oversee Splunk success measurements
- Is accountable for return on investment
- Promotes and facilitates program-wide communication
- Supports initiatives for knowledge sharing and collaboration
- Ensures executive alignment
For more information, see Roles best practices.
Post a service catalog
If you are providing Splunk as a service, you can post a catalog of Splunk-related services and processes for your user community. A service catalog communicates to your community the services you offer, and indicates how they can engage with your team. Post your service catalog in a publicly accessible space, such as your team wiki, community, or internal web site.
Define service level objectives and agreements
Service level definitions include service-level objectives (SLOs), service-level agreements (SLAs), and case priorities. For more about creating service-level agreements, see Service-level best practices.
Success measurements best practices for a Splunk deployment
About the SSF functional areas
This documentation applies to the following versions of Splunk® Success Framework: ssf