About MeAbout Me

Linux System AdministratorLinux System Administrator

Husband and Father of 2 KidsHusband and Father of 2 Kids

DevOps, Productivity Hacks and DevOps, Productivity Hacks and Tools, The Big LebowskiTools, The Big Lebowski

Growing SplunkGrowing SplunkTyler Rutschman - Garmin InternationalTyler Rutschman - Garmin International

OH: (during an outage)OH: (during an outage)I don’t want to live in a I don’t want to live in a world without Splunk.world without Splunk.

BackstoryBackstory

Free instance installed in 2009Free instance installed in 2009

Single Instance on Central Log Single Instance on Central Log serverserver

Upgrade to EnterpriseUpgrade to Enterprise

Level 2Level 2

Split Splunk onto dedicated Split Splunk onto dedicated instanceinstance

License overwhelmed by Garmin License overwhelmed by Garmin ConnectConnect

Limited visibility and useLimited visibility and use

IF YOU HAVE MORE INPUTS THAN IF YOU HAVE MORE INPUTS THAN LICENSELICENSE

YOU’RE GONNA HAVE A BAD TIMEYOU’RE GONNA HAVE A BAD TIME

Super Cool Ski InstructorSuper Cool Ski Instructor

Plan for ExpansionPlan for Expansion

Decided to make application more Decided to make application more robustrobust

Read the DocumentationRead the Documentation

.conf 2011.conf 2011

Enterprise ArchitectureEnterprise ArchitectureOutlineOutline

Puppet DeploymentPuppet Deployment

Infrastructure LayoutInfrastructure Layout

GotchasGotchas

Future PlansFuture Plans

PuppetPuppet

Search, Indexer and Forwarder are Search, Indexer and Forwarder are “turn-key”“turn-key”

ex: include splunk::indexer ...doneex: include splunk::indexer ...done

Really Awesome for ForwardersReally Awesome for Forwarders

Why not use Splunk Deployment Why not use Splunk Deployment Manager?Manager?

InfrastructureInfrastructure

How We Use SplunkHow We Use Splunk

Web Access LogsWeb Access Logs

Internal Application AuditsInternal Application Audits

Windows Security EventsWindows Security Events

Why I Like SplunkWhy I Like Splunk

Makes Users HappyMakes Users Happy

Real Time DataReal Time Data

No AlternativesNo Alternatives

GotchasGotchas

Don’t Index a lot of data over NFSDon’t Index a lot of data over NFS

Shared Knowledge Bundle Time Shared Knowledge Bundle Time SyncSync

Tag and Search permissionsTag and Search permissions

Future PlansFuture Plans

Scale Central System LoggingScale Central System Logging

More Splunk from a User/Developer More Splunk from a User/Developer POVPOV

Additional InputsAdditional Inputs

TrainingTraining

Tips and AdviceTips and Advice

WMI Event Filter for Windows WMI Event Filter for Windows Events - Events - http://t.co/gexrFnrc

Splunkbase AnswersSplunkbase Answers

Questions & FeedbackQuestions & Feedback