After attending a pair of confs I wanted to start a thread of thoughts about What should I do at my first Splunk .conf?
I have a single question at the bottom. Feel free to add on and make suggestions.
Visit official Splunk booths
Outside of your scheduled sessions this should be your top priority when you get there. This is when you get to speak with the development teams behind current, new and upcoming Splunk modules and features. There are some neat non-NDA internal projects also worth seeing especially if you have a homelab and want to do some cool weekend projects.
My Experience: Last year my most memorable conversation was with the MLTK team when i asked them why UBA didn't leverage MLTK if MLTK was as awesome as the streets tell me. This year I spoke with the someone from the UI team and we spoke about the color palette challenges they were faced with the dark mode.
Visit Vendor booths
Many of them are MSPs or Splunk app makers. Because MSPs are trying to sell you a service they are more willing to share real world processes and challenges that you can take back to your shop. You can also speak with app & appliance vendors about their TA. Your shop use syslog-ng? They are there. Your shop use Checkpoint? They are there. ect.
Visit 'Ask The Experts' (get answers, you can)
This is your opportunity to sit with a Splunk expert and have them answer your questions. I've seen people break out laptops, but I always have my questions ready to go by the time I get there. Splunk Answers is where I ask 'How' questions. 'Ask the Experts' is the perfect opportunity to ask 'Why' questions in a face to face Apple store Genius Barish setting.
Visit the 'Innovation Lab' (the only place you can't take photos)
Here is where you really get to see some AMAZING things Splunk is doing internally. They make you sign an NDA before you can enter and because of that I can't get any much more specific. What I can say is that I was beyond impressed by what I saw in there.
Sign up for BOTS or BOTN (gather three co-workers and find a cool team name)
These competitions take place just before .conf and will do two very important things for you:
1 Expose you to Splunk use cases with accompanying data sets. This data is VERY robust. The use cases go from really really easy, all the way up to REALLY hard.
2 Give you a FREE hands-on with Splunk's entire Enterprise offering (as of the time of this writing it is UBA,MLTK,ES & Phantom) all configured and all ready to get busy on the data set they provide for you.
3 There is a Splunk session dedicated to analyzing the data generated from the competition. The description made it sound really interesting and I didn't realize this until it was too late, my 3rd biggest miss of .conf.
The innovation lab had some things in there that I want my company to have a hand in testing. But because I didn't read the details of the NDA, and I am uncertain if I can even ask my sales person about the project I have in mind. How can I get in contact with a specific team from the innovation lab?
... View more