.

Splunk .Conf 2015 FTW!!!

A couple of weeks ago, I was lucky enough to attend Splunk .Conf 2015, Splunk’s 6th Annual User’s Conference in Las Vegas.

Bye_Bye_Vegas

Vegas … Home of Casinos, partying and….ninjas!!

I had an awesome time, met a lot of great people and picked up some new Splunk Jedi mind tricks from some of the best Splunkers on the planet.

 

The Product Announcements

I’ve been a user of Splunk since 2007 and have accompanied the product on its journey from log aggregation tool and datacenter search engine to a fully fledged analytics platform for machine data. I still remember my mind being blown back when Splunk 4 was launched and it introduced visualisation capability. Back then, my resonating thought was “This changes everything”.

At .Conf this year, I experienced the same feeling. With the release of Splunk Enterprise 6.3, Enterprise Security 4.0, and the formal launch of IT Service Intelligence and User Behaviour Analytics, Splunk is set to further disrupt the IT Ops Monitoring and Security space.

Splunk Enterprise 6.3

Splunk Enterprise 6.3 is a developer’s and data geek’s treasure trove.

HTTP Event Collector – Splunk’s new high-volume JSON-based HTTP endpoint allows the sending of events from applications directly to Splunk – no Forwarder required. This lends flexibility to developers in deciding how they are going to get events in Splunk. It also allows events to be sent directly from smart phones, tablets and IoT devices. Oh, the possibilities! Out of the box, Splunk provides libraries for java and .NET applications. There are also integrations with AWS Lambda, Docker, and IoT vendors including Xively and Octoblu.
Visualisations – Single Value visualisations have been enhanced so they can show at-a-glance trending and status changes. The new choropleth visualisation provides the ability to represent metrics across different geographic regions. Plus you can define your own custom polygons, so you can define your own geographic regions for the purposes of visualisation or creating geofences – your imagination is the limit. The choropleth visualisation and geo lookup has really added firepower to Splunk’s geospatial capability.
Simple XML – The biggest change here is the ability to use an eval function within the Simple XML dashboard framework. Just like the eval function in SPL can allow the execution of some pretty amazing logic, the use of eval in Simple XML is going to be a powerful tool to use in modelling and defining complex interactions for dashboards.
Capacity Optimisations – Search and index parallelisation as well as intelligent job scheduling means better system utilisation.

Splunk IT Service Intelligence (ITSI)

ITSI is Splunk’s next generation monitoring and analytics solution and its kind of a big deal. A very big deal. Its biggest stand out is its ability to visualise complex service topologies or business processes using the breath-taking Glass Table visualisation interface. Underpinning this are robust KPI definition capabilities and machine learning to help highlight anomalies. I’m really looking forward to rolling this out in the coming months.

Splunk Enterprise Security 4.0

Splunk’s flagship security product has received a name change, changing from Splunk App For Enterprise Security, to Splunk Enterprise Security 4.0. I think the most exciting changes are to do with the addition of analysis tool, specifically the introduction of Investigator Journal and Investigator Timeline.
Investigator Journal – This allows a security analyst to systematically record and keep track of ad hoc searches and activities to streamline analysis.
Investigator Timeline – This allows members within a security team to place events, action and notes into a timeline to better understand and communicate information about breaches and incidents.

It would be great if some of this investigation capability filtered down into Splunk Enterprise or across into ITSI to help with tracking IT Ops issue investigation activities.

 

The Rest

The last .Conf I attended was the very first one back in 2010 and I must say its changed a lot. From a few hundred back then to over 4000 at .Conf 2015, Splunk has certainly come a long way.

One of the things that has always stood out for me is the passionate and dedicated community that has developed around the Splunk platform. There are never a shortage of people who are willing to give up their free time to advocate Splunk and to help out fellow Splunkers in their hour of need, and it was great to meet some of these people face-to-face.

Not only have the number of delegates grown, but also the vendor and partner ecosystem – I had the opportunity to visit the showroom floor and talk to a whole bunch of hardware, software and services vendors who have partnered with Splunk.

The breakout sessions were impressive – there were some interesting talks given around architecture, performance, development practices and use cases, delivered by battle hardened Splunkers as well as customers willing to share their experiences.

In addition to the standard conference stuff, there was also the Splunk Community Theater, a great forum where scheduled and impromptu sessions were held on a variety of different topics around Splunk and the wider Splunk Community.

This year Splunk held their first ever SPLing Bee, where delegates were able to able to pit their SPL skills against each other. I ended up nabbing third spot. I look forward to stepping up at future SPLing Bees!

 

In Conclusion

All-in-all a great week. It was a great opportunity to meet with fellow Splunkers and level up my Splunk skills. I can’t wait to dive into Splunk’s new features and implementing them for our customers.