Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
2. 2
Set up: Before We Can Play
Please Download the Following
Download Splunk Enterprise
https://www.splunk.com/download
Dowload the Tutorial Data
http://splk.it/2ey34P8
Dowload the lookup file
http://splk.it/2fCgpXw
Download the Search
Tutorial
http://splk.it/2ePSYKB
3. 3
Disclaimer
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
7. 7
Industry Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Question
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
8. 8
Machine Data Contains Critical Insights
Order ID
Customer’s Tweet
Time Waiting On Hold
Product ID
Company’s Twitter ID
Order ID
Customer ID
Twitter ID
Customer ID
Customer ID
Sources
Order Processing
Twitter
Care IVR
Middleware
Error
9. 9
Turning Machine Data Into Business Value
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Industrial Data and
the Internet of Things
10. 10
Industry Leading Platform for Machine Data
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Industrial Data and
the Internet of Things
Any amount, any location, any source
Schema-
on-the-fly
Universal
indexing
No
back-end
RDBMS
No need
to filter
data
11. Disruptive Approach to Unstructured Data
Structured
RDBMS
SQL Search
Schema at Write Schema at Read
Traditional Splunk
ETL Universal Indexing
Volume Velocity Variety
Unstructured
12. 12
Splunk & The Enterprise Data Fabric
Forwarder
Windows/*NIX
HTTP/s
0101010
0010101
1010010
Wire DataSyslog
TCP/UDP
……. …….
…….
Indexing Tier
Search Head Cluster
NoSQL
RDBMS
Splunk Archiving
Modular
14. 15
Platform for Operational Intelligence
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP
IoT
Devices
Network
Wire Data
Hadoop
The Splunk Portfolio
15. 16
Analysts Business Users
Analytics Ecosystem
IT Users
ODBC
SDK
API
DB Connect
Look-Ups
Ad Hoc
Search
Monitor
and Alert
Reports /
Analyze
Custom
Dashboards
GPS /
Cellular
Devices Networks Hadoop
Servers Applications Online
Shopping Carts
Analysts Business Users
Structured Data Sources
CRM ERP HR Billing Product Finance
Data Warehouse
Clickstreams
16. 17
Splunk Value Proposition
Developer
Faster Development
No Upfront ETL
No schema required
Automatic field extraction
Extensible and open platform for integration
FAST TIME TO VALUE
SELF-SERVICE ANALYTICS
Data Scientist
Faster data preparation time
Built-in Machine Learning
End-User
Self-service analytics
No programming expertise required
Built-in querying and visualization
Fast Time to Value
Business
Lower TCO
Any Data Source, Anywhere
No data duplication
17. dev.splunk.com
40,000+ Q & A – answers.splunk.com
1,200+ apps
www.splunkbase.com
18
Thriving Splunk Community
usergroups.splunk.com
19. 20
Set up: Before We Can Play
Please Download the Following
Download Splunk Enterprise
https://www.splunk.com/download
Dowload the Tutorial Data
http://splk.it/2ey34P8
Dowload the lookup file
http://splk.it/2fCgpXw
Download the Search
Tutorial
http://splk.it/2ePSYKB
Set expectations: not a lecture
We have slides, but they’re to help keep us on target, a general roadmap. Here for you, to hold a dialogue, not rote dictation.
I will ask questions. I invite you to do the same. It’s a lot more fun and interesting if we are all active participants. I often find my customers have as many solutions as they have questions.
I invite, encourage, and thrive on questions. I am going to ask you questions. you to stop me and ask questions. Chances are, you won’t be the only one with that question.
Agreed?
NEXT: DISCLAIMER
NEXT: AGENDA
Q: Prior experience with Splunk
Q: What is Splunk?
NEXT: SPLUNK CORE MESSAGE
Splunk’s mission is to make YOUR machine data accessible, usable and valuable to everyone. It’s this overarching mission that drives our company and products that we deliver.
Q What is Machine Data
Machine data is generated from many places….
We may have questions we wish to ask of that data
This is what Splunk enables and empowers
NEXT: EXAMPLE
The purpose of this slide:
Teaching slide; teach or reinforce that there is value in machine data
Open their eyes that it is more than just system logs
Highlight the fact that this is a record of behavior; not just system behavior, but user behavior too
EITHER, open the customer’s eyes to the value beyond logs OR reiterate what they told you they already know about the value in their data
Introduce the value in correlating data across data sources
Relate back to something they said about their business
Possible lead-in:
To frame our discussion, let’s use this example of purchasing a product from your tablet or smartphone: the purchase transaction fails, you call the call center and then tweet about your experience. All these events are captured - as they occur - in the machine data.
Each of the underlying systems has the potential to generate millions of machine data events daily. Here we see small excerpts from just some of them.
When we look more closely at the data we see that it contains valuable information – right down to what was tweeted.
What’s important, is first of all, the ability to actually see across all these data sources, but then also to correlate related events and provide meaningful insight.
If you can correlate and visualize the data, you can build a picture of activity, behavior and experience. And what if you can do all of this in real-time? You can respond more quickly to events that matter.
This example ties into your scenario but you can also extrapolate this example to a wide range of use cases – security and fraud, transaction monitoring and analysis, web analytics, IT operations and so on.
NEXT: How to use the Qs
The purpose of this slide:
Summary slide:
Highlight Splunk as the platform for machine data; solving the problem of accessibility to data
Highlight Splunk as multi-use case, enterprise solution; solving the problem of making data available to everyone
Highlight the ability to customize the view of the data for the different users; one set of data, multiple lenses
Highlight the volumes of data Splunk can load
Discovery slide: (potential questions; don’t ask all, consider your discussion so far, where you want to go with the discussion and the time you have left)
Ask if there are any types of data here that surprise them; look for additional use cases they may not realize Splunk can help with
Ask if there are any types of data here that you are struggling with today? What are the challenges?
Ask if there are any types of data here today that they are analyzing and gaining value from well? How are you doing that? What about it makes it work?
Highlight differentiator: Universal machine data platform
Highlight differentiator: Real-time architecture
Possible lead-in:
Here we see some of the kinds of data Splunk can load;
Point to some they said they were looking at/having trouble looking at today; i.e create familiarity
Ask if they see something here they wouldn’t expect to see as a data source for Splunk; looking to expand their thinking about Splunk
Ask if they see something here they would like to have in Splunk now that they see it here
Possible follow up script:
Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. All in real-time. The Splunk platform is designed to make it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. That is, once your data is loaded in Splunk, you can ask any question.
The insights gained from machine data support a number of use cases and can drive value across your organization.
NEXT: ANY ANY ANY
The purpose of this slide:
State value points of Splunk
Highlight that Splunk can handle any amount of data, from any source and any location; enforcing the universal machine data platform
Highlight that there is no need for a back-end RDBMS
Introduce schema-on-the-fly as a comparison to rigid, fragile data models in RDBMSs or other existing systems
Emphasize any of these points that you uncovered as challenges they experience today.
Highlight differentiator: schema-on-the-fly. Be sure to describe what this means and why they care. Just stating that we have schema-on-the-fly is not meaningful.
Pivot point:
IF accessing data is not a challenge for them today, you should cover the Splunk highlights concisely and move on.
IF they described getting access to machine data as one of their big challenges you might spend more time on this slide.
Possible lead-in:
You mentioned that getting access to the data is a challenge. Well, Splunk can solve this problem with these key features. Splunk has the ability to load any data, regardless of volume, type or location.
Splunk is able to do this because there’s no requirement to “understand” the data upfront – this what we call “schema-on-the-fly”. What this means for you is you don’t need to know about your data, or what questions you want to ask of the data before you load. You simply point Splunk at the data or the data to Splunk. Splunk immediately starts collecting and indexing, so users can start searching and analyzing. No more armies of consultants, backend database or DBA to make it work. Once you’ve Splunked your data, it is time-stamped and easily searchable. Because we don’t have to do all the up front work to be able to look at the data we can load it all and make it all relevant. There’s no need to limit what you load and what you don’t.
NEXT: Splunk vs RDBMS
Traditionally, machine data was generated and part of the data would be stored in a specific, pre-defined way. This creates limits in the questions that can be asked of the data.
Splunk takes a disruptive approach by storing the data in it’s raw, original format, and creates a schema at the last possible moment; when the question is asked. Because of this, there are no limits to the questions that can be asked of the data. Speaking of no limits…
No limits on where you can collect it from
No limits on the formats of data
And no limits on scale
customers are indexing 100’s of TB per day, searching across thousands of types of data all in different formats.
NEXT: Flow
Splunk Architecture
0 Getting data in Splunk
1 Indexer role
2 Search Head role
3 While our vision may be to house our data in a centralized location, the reality is that it continues to exist in multiple silos and need to be accessed and leveraged for immediate business decisions. Duplication and complication are almost always inevitable.
4 Users often need access to data from two or more silos. Splunk can provide a complete view into your data farm. So, what happens when Splunk needs to query one or more sources.
5 Users connect to the Search Head to query these sources
6 The Search Head manages the process and dispatches the job to the respective stores:
7 Splunk
8 NoSQL
9 Hadoop and its ecosystem components
10 Your existing RDBMS
11 In seconds, you can generate reports and dashboards, alert and take action.
12 (Optional: where DBConnect lives and its functions.
13 Splunk will also automatically move data over to your Enterprise Hadoop data Hub for long-term archiving.
???
GREAT! SO WHAT? What makes Splunk different?
NEXT: Splunk as a time machine.
Splunk is a time machine
It empowers real-time analytics and proactive alerting to help keep you grounded in the now
It handles historical data analysis – natively and/or in concert with 3rd party solutions to help you understand how you reached this point
It helps predict the future, based on what it’s learned of the past and present.
But it’s not in a vacuum.
NEXT: ECOSYSTEM
Purpose of this slide:
Highlight the Splunk platform
Opportunity to talk about forwarders if the topic of HOW to get data to Splunk has come up
Opportunity to revisit data sources if that topic has come up again or if you’ve learned something new
Highlight the deployment options of Splunk; Splunk Enterprise on premises, Splunk cloud, hybrid model, Splunk light if they are saying all they need is a log aggregator (otherwise don’t highlight)
Opportunity to discover if Hunk might be useful for them; open their eyes to the possibilities Hunk offers.
Highlight the community via apps and add-ons
Highlight differentiator: passionate and vibrant community (re: apps and add-ons)
Highlight developer opportunities if that has been a topic of discussion
Highlight the Splunk Premium solutions
Highlight that they are built on the platform
They are pre-built solutions for common business problems amongst Splunk community
Things you should know and be prepared to discuss:
How the Splunk offerings are licensed (See Splunk Offerings module)
Possible follow up script:
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premises deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – allows smaller IT organizations to get started with Splunk – on premise or in the cloud
Hunk – for analytics on data in Hadoop
Apps and add-ons from Splunk and our community extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
And premium solutions from Splunk apply real-time intelligence and rich, domain-specific functions to manage your security posture, IT operations and more.
NEXT: ANALYTICS ECOSYSTEM
Maintaining good data citizenship
Splunk augments existing solutions and fills existing gaps.
Platform integration is a key ingredient of that vision.
NEXT: WHAT DOES IT DO FOR YOU
Where our customers see value
Splunk has an active community:
There is also an emerging ecosystem of new companies building apps on top of the Splunk Enterprise platform. These companies are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications.
How many of you have used Splunk Answers? Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions. It’s the go to place for your questions – and answers.
You can participate in meet-ups and User Groups or you can contribute to our forums. You can also attend local SplunkLive events to hear how your peers are using machine data.
.
Up next….
This presentation has some animations and content to help tell stories as you go. Feel free to change ANY of this to your own liking! I would definitely practice your flow once or twice before a presentation. There is A LOT of content to get through in 1 hour. The slides with search examples can be unhidden if needed.
Here is what you need for this presentation:
You should have the following installed:
PowerOfSPL App - https://splunkbase.splunk.com/app/3353/
Custom Cluster Map Visualization - https://splunkbase.splunk.com/app/3122/
Clustered Single Value Map Visualization - https://splunkbase.splunk.com/app/3124/
Geo Heatmap Custom Visualization - https://splunkbase.splunk.com/app/3217/
Timewrap Custom Command (NOTE this command is now included in CORE) - https://splunkbase.splunk.com/app/1645/
Haversine Custom Command - https://splunkbase.splunk.com/app/936/
Levenshtein Custom Command - https://splunkbase.splunk.com/app/1898/
Optional:
Splunk Search Reference Guide handouts
Mini buttercups or other prizes to give out for answering questions during the presentation
Shake! Demo can be used for interactivity on some of these search examples if you want… definitely adds some flare to the presentation