Dragons and Splunk Do Not Do Well In CaptivityTame Splunk Dragons Before Winter Comes

Kyle Prins & Keith Quebodeaux | DellEMC Splunk Ninjas

September 2017 | Washington, DC

During the course of this presentation, we may make forward-looking statements regarding future events or

the expected performance of the company. We caution you that such statements reflect our current

expectations and estimates based on factors currently known to us and that actual events or results could

differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live

presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

information. We do not assume any obligation to update any forward looking statements we may make. In

addition, any information about our roadmap outlines our general product direction and is subject to change

at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

or other commitment. Splunk undertakes no obligation either to develop the features or functionality

described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in

the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

▶ Kyle Prins

• Dell EMC Consulting Architect

• Splunk Certified Architect

• @KylePrins

▶ Keith Quebodeaux

• Dell EMC Principal Architect

• @Queboduck

“Splunk grows and now our watch begins…we are the Splunkers in the darkness, the watchers on the walls…”

Who Are We?

Dell EMC Splunk Ninjas

Watchers on the Wall

▶ The Egg - Initial Splunk adoption is easy

▶ Usecases and user constituencies expand quickly

▶ Demand for daily ingest rate increases rapidly

▶ Performance must not suffer from scale

▶ Availability and reliability is must have

▶ Epic - Splunk is now a business critical application

Splunk and DragonsFrom Egg to Epic

▶ Captivity - Stranded or static investments in capacity

• Limits ability to achieve greater scale

• POC to Production

• Expansion of Production Ingest

• Adoption of new advanced applications or toolkits

▶ Unchained - Big data infrastructure must ultimately align to enterprise strategy

Dragons do not do well in captivity. It is what we do…We Splunk and we know things.

Splunk and DragonsSplunk and Dragons do NOT do Well in Captivity

▶ Elasticity

• Pooled capacity and resources

• Ability to dynamically consume resources

The Three Heads of the DragonAvoiding being stunted in the Dragon Pit

▶ Elasticity

• Pooled capacity and resources

• Ability to dynamically consume resources

▶ Scalability

• Ease of expansion

• Reduced infrastructure interdependencies

• Separate Storage From Compute

The Three Heads of the DragonAvoiding being stunted in the Dragon Pit

▶ Elasticity

• Pooled capacity and resources

• Ability to dynamically consume resources

▶ Scalability

• Ease of expansion

• Reduced infrastructure interdependencies

• Separate Storage From Compute

▶ Appropriate Sizing and Best Practices

• Splunk Sizing Guide

• Splunk virtualization best practices

• Consider growth at the outset

The Three Heads of the DragonAvoiding being stunted in the Dragon Pit

▶ Embrace Virtualization

• Virtualization of Compute

• Software Defined Storage

• Alignment to enterprise tools and management

Feeding the Three Heads of the DragonSheep, Goats, and Rams…Well Done

▶ Embrace Virtualization

• Virtualization of Compute

• Software Defined Storage

• Alignment to enterprise tools and management

▶ Adopt Nodal-based Architecture

• Scale-out architecture for a scale-out application

• Uniform, incremental and linear to scale

• Cost

• Performance

Feeding the Three Heads of the DragonSheep, Goats, and Rams…Well Done

▶ Embrace Virtualization

• Virtualization of Compute

• Software Defined Storage

• Alignment to enterprise tools and management

▶ Adopt Nodal-based Architecture

• Scale-out architecture for a scale-out application

• Uniform, incremental and linear to scale

• Cost

• Performance

▶ Size Appropriately

• 16-24 CPU Minimum Indexer and Search Head

• Think Splunk ES

• Reserve and do not overcommit

• Leverage Splunk certified SMEs

Feeding the Three Heads of the DragonSheep, Goats, and Rams…Well Done

Other People’s Dragons

Real World Customers Growing and Raising Their Splunk Dragons

▶ Splunk became a mission critical app

▶ Ingest requirements grew rapidly

▶ Infrastructure had to be able to respond to changes

Incramentally Unlocking the Dragon

Customer Evolving from Monolith to DAS to SDS to HCI

▶ Splunk Infrastructure Evolving

• Initial - Scale-Up Storage + Compute

• Monolithic

• High Cost

▶ Splunk became a mission critical app

▶ Ingest requirements grew rapidly

▶ Infrastructure had to be able to respond to changes

Incramentally Unlocking the Dragon

Customer Evolving from Monolith to DAS to SDS to HCI

▶ Splunk Infrastructure Evolving

• Initial - Scale-Up Storage + Compute

• Monolithic

• High Cost

• DAS

• Node-based

• Stranded capacity

▶ Splunk became a mission critical app

▶ Ingest requirements grew rapidly

▶ Infrastructure had to be able to respond to changes

Incramentally Unlocking the Dragon

Customer Evolving from Monolith to DAS to SDS to HCI

▶ Splunk Infrastructure Evolving

• Initial - Scale-Up Storage + Compute

• Monolithic

• High Cost

• DAS

• Node-based

• Stranded capacity

• DAS + Software Defined Storage

• Node-based

• Pooled storage capacity

▶ Splunk became a mission critical app

▶ Ingest requirements grew rapidly

▶ Infrastructure had to be able to respond to changes

Incramentally Unlocking the Dragon

Customer Evolving from Monolith to DAS to SDS to HCI

▶ Splunk Infrastructure Evolving

• Initial - Scale-Up Storage + Compute

• Monolithic

• High Cost

• DAS

• Node-based

• Stranded capacity

• DAS + Software Defined Storage

• Node-based

• Pooled storage capacity

• Objective - Splunk Ready Solution

• Engineered HCI

• Validated for Splunk

Solution Data

▶ Variance in Ingest Scope

• 2-6TB/Day Ingest

▶ Considering Splunk Hadoop Data Roll for Archive

Constraints and Considerations

▶ Enterprise Security Use Case

▶ User Behavior Analytics (UBA) under consideration

▶ Ambiguous requirements for other roles

• Syslog

• Heavy Forwarders

Free Ranging the DragonCustomer Starting with HCI as the Defacto Splunk Platform

Ready Solution for Splunk -VxRail

VMware HCI Splunk Validated Solution

▶ VMware standardized customer

▶ Splunk Targets

• Indexers - 24 vCPU 64GB vRAM

• Search Heads - 24 vCPU 64GB vRAM

• Other Splunk Roles – Elastic Capacity

• Heavy Forwarders

• Syslog

• Resource Servers

VMw IDX/SH/SQLHVYFWD/SYSLOG/RS/Other

IDX/SH/SQL

HVYFWD/SYSLOG/RS/Other

VMw

Indexer or Search Head

VM

Heavy Fwd, Syslog,

Splunk Resource Server, or Other VM

Available Unallocated VMware

Resources

▶ Nodal Architecture

• 23 Hosts Nodes

• 2 HA Nodes

▶ Virtualized Elastic Resources

• 20 Splunk Indexers

• 3 Splunk Search Heads

• 16 Other Splunk Roles

• Flexible additional available resources

Phase 1: the Adolescent Dragon

2TB/Day w Splunk Enterprise Security

▶ Linear Scalability

▶ Increase to 48 Nodes

• 45 Hosts Nodes

• 3 HA Nodes

▶ Additive Elastic Resources

• 40 Splunk Indexers

• 21 Other Splunk Roles

• Additional resources added to the pool

• Linear performance and capacity gains

Phase 2: Epic Dragon

4TB/Day w Splunk Enterprise Security

Ready Systems for Splunk

Free Ranging Your Splunk Dragon with Reduced Complexity, Greater Simplicity, and Faster Time to Insight

Dell EMC Ready Systems for SplunkReducing Complexity with Splunk Validated Solutions

VxRail Ready System for SplunkStart small scale out solution to optimize collection, processing and analyzing of

machine data

VxRail All Flash Appliance E-460F

Splunk™ Enterprise 6.5 software

Splunk™ Universal Forwarder 6.5 software

Isilon X410

Fully integrated VMware HCI Solution

Flash

- Jointly validated solution

- Scale-out node-based

architecture

- Clustered and Distributed

Deployment Options

VxRack Ready System for SplunkScale out solution to optimize collection, processing and analyzing of machine data

Splunk™ Enterprise 6.5 software

Splunk™ Universal Forwarder 6.5 software

Isilon X410

VxRack Flex 1000

PowerEdge R630 High-Density Flash: Dense SSD-High Capacity

- Jointly validated solution

- Scale-out node-based

architecture

- Clustered and Distributed

Deployment Options

-Integrated Network Fabric

Deployment options for VMware, bare metal OS, KVM, and Hyper-V

▶ Dell EMC Booth

▶ Dell EMC Splunk Ninjas

• Global

• Splunk certified

• Dell EMC portfolio experts

▶ Splunk Partner Site

▶ Dell EMC Apps on Splunkbase

▶ BigDataBeard.com

“Splunk grows and now our watch begins…we

are the Splunkers in the darkness, the watchers on the walls…”

Resources

DellEMC Splunk Ninjas

Q&A

Kyle Prins | DellEMC Consulting Architect, Splunk Ninja

Keith Quebodeaux | DellEMC Principal Architect, Splunk Ninja

© 2017 SPLUNK INC.

Don't forget to rate this session in the

.conf2017 mobile app

BREAK15 MINUTES