rss.livelink.thread@place:occasion

Awesome Admins: Running a Healthy Splunk Platform Environment - 12/12/24

adepp — Wed, 15 Jan 2025 21:32:45 GMT

Register here. Ask the experts at Community Office Hours! An ongoing series where technical Splunk experts answer questions and provide how-to guidance on various Splunk product and use case topics.

This thread is for the Community Office Hours session on Awesome Admins: Running a Healthy Splunk Platform Environment on Thurs, Dec 12, 2024 at 1pm PT / 4pm ET.

What can I ask in this AMA?

What should I be looking at as a Splunk Cloud or Splunk Enterprise Admin, and why?
What are some best practices for using workload management?
How can I set up a scalable architecture?
What are some best practices for monitoring system health with the Cloud Monitoring Console?
What are some tips for managing and balancing disaster recovery?
Any best practices for managing large numbers of users?
Which admin tasks should I be streamlining with ACS?
Anything else you'd like to learn!

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here).

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

Look forward to connecting!

Re: Awesome Admins: Running a Healthy Splunk Platform Environment

jason2 — Thu, 12 Dec 2024 21:00:43 GMT

Zoom link?

Re: Awesome Admins: Running a Healthy Splunk Platform Environment

MeWoW — Sun, 15 Dec 2024 10:18:57 GMT

Hello Splunk community,

I unfortunately missed the session. Is there a recording available? I’m really interested and would love to catch up on it.

Thanks in advance.

Re: Awesome Admins: Running a Healthy Splunk Platform Environment

adepp — Mon, 16 Dec 2024 19:42:58 GMT

Hi @MeWoW! If you registered for the session you should have received a recap email from me with the link. You can also get the full Q&A deck and live recording in the #office-hours Slack channel (request access here). Thanks 🙂

Re: Awesome Admins: Running a Healthy Splunk Platform Environment

adepp — Mon, 16 Dec 2024 19:48:20 GMT

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

Q1: Which admin tasks should I be streamlining with ACS?

Index Management
Access Management
Limits Management
App Management
Managing HEC tokens
Adding IP AllowListing to the infrastructure
Additional Resources:

Q2: What's the best way to make changes to apps' local directories on search head clusters, since these can't be pushed from the deployer?

Use local_only Push Mode designed specifically for modifying existing apps
Perfect for updating built-in apps like the Search app
Member's existing configurations are preserved during merge
Docs: Deployer push mode: local_only

Q3: What are some good resources for capacity planning? (Splunk Enterprise)

ODS (On Demand Services) - they are a team in Splunk who can assist with some capacity planning tasks.

Q4: Is there any way to limit SVC usage by role, apps, index?

Only way is to control the searches happening in the environment. The SVC usage dashboard data is delayed and Splunk does not reveal how this is calculated.

Other Questions/Topics (check the #office-hours Slack channel for responses):

What should I be looking at as a Splunk Cloud or Splunk Enterprise Admin, and why?
What are your favorite best practices for running a healthy Splunk Platform environment?
What are the best practices for avoiding and resolving bucket issues? Can we manually schedule bucket rebuild to increase search performance?
What are best practices for implementing and using Splunk Security Essentials?
How to best get logs from a Kubernetes cluster?
Advanced admin/architect topics
Any approaches to use workload management if your OS only supports cgroups v2 anymore?
How to size a splunk environment when you know what to expect (outside of ingest volume).
How often do you check the DMC for the health of the environment? Do you just set up alerts for various thresholds?
Is there a way to know if someone is using an index for searching. Reason I am asking is sometimes over the course of time we have data coming in but no one is using them. So these would be good candidates for removing the source for ingestion. I am also looking to see macros being covered
Is there any app similar to cmc that we can use for splunk enterprise in search head instead of accessing monitor console in cluster manager?
Is there a way to share dashboard for anonymous users, sometimes the data for example is good for inventory and not confidential. I wonder if you had this kind of use cases before?