Splunk Enterprise Security

Splunk sizing and timing

charlesukah22
Explorer

I am developing a monthly report/dashboard for a client and would like to ask the client a lot of none technical questions about their requirement in other to develop this report. I specifically need to ask them some “sizing and timing questions. For example:
How often does the data change (continuous, daily, hourly, weekly etc)
How many concurrent users may need to run this report?
Guys I would appreciate if you can give me more sizing and timing questions that I can ask the client.
Cheers
Note: The nature of my clients business is all about security control of their system’s data and company’s information. They want to have a monthly report via dashboards that will show trends in their data. For example (identify people who have access to their data, who don’t have such access, how many failed logins etc…
They want to compare their previous month’s report with the current month report and see any changes in the activities

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

charlesukah22
Explorer

Yes it is. Just need those sizing and timing questions only

0 Karma

nickhills
Ultra Champion

If you build the reports properly using saved searches+ loadjob, summary indexing and/or report acceleration for dashboards, the number of concurrent report viewers is more or less inconsequential.
Even more-so, if you are going to be delivering report by email.

With the above point made, the frequency that you run your saved searches is purely driven by how recently your users expect the data to be.
I would almost caution against asking this question - the answer you will get is alway "now - accurate to the last second" - Human beings are like that!

Your job is to propose to the customer a sensible reporting framework, and that depends on what you determine to be the most appropriate trade-off between recency and load.

It is difficult for community members to comment on what you should use as the choice may depend on your available capacity and volume of data.
If your deployment is large (over speced), and underused, by all means run your searches every minute, but normally Splunk admins will be making decisions based on the value (importance *) of that report, the true usefulness * of recent data and balancing that with the needs of other users on the system who are sharing the available resources.

Ask yourself this: If one of your metrics reports a value in the region 24k events a day, is the difference of 16 events a minute worth representing in the report? - Maybe you would consider updating it after 15 minutes which would at least represent an increase of 0.25k, perhaps hourly, or daily is more useful?

On the other hand, if you are representing a running total of daily revenue generated by a contact centre, maybe shorter report updates are more appropriate.

The questions I tend to ask clients are:
- What do you want to see on it?
- How do you want it presented (tables, charts. values etc)?

Then you need to understand if this is something that a user will look at once a day, or if its going to be on a screen on the wall being looked at many times a day

The rest of the decisions * about how the report is built or runs should be down to the team that runs Splunk.

As the admin of a Splunk deployment you often find that over time, you understand the value of the data in Splunk more than the business does - This is one of the great things about working on a Splunk deployment - you are often better placed to tell the business things they didn't even know they could ask.

* With relevant informed interpretations of the business use case

If my comment helps, please give it a thumbs up!
0 Karma

charlesukah22
Explorer

Great respond to the question. Thanks a million

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!