This document discusses Splunk's analytics capabilities and how to develop analytics for business users. It introduces personas as user types in a Splunk deployment beyond core IT. Requirements should be gathered for each persona, including their business problem, relevant data sources, and how they prefer to consume results. Searches and data models can then be developed and delivered through dashboards, visualizations, or third-party tools. Advanced analytics techniques discussed include anomaly detection, data visualization, predictive analytics, and demos. The document encourages reaching out for help from Splunk technical teams to grow analytics beyond IT.

1. Copyright © 2014 Splunk Inc.
Advanced Analytics
Pete Sicilia
Chief of Staff, Analytics Markets
Dr. Tom LaGatta
Senior Data Scientist / Analytics Specialist

2. Analytics at Splunk
• Analytics can be anywhere
– It’s not a separate department
• High value use cases
• Solve critical business problems
• Persona-based approach
• Enterprise-wide user adoption
• Continuous Business Insights
• Drive decision making

3. Copyright © 2014 Splunk Inc.
Analytics and Operational Visibility
• Mine data to derive actionable insights and drive decision making
• Data Extraction, Mapping, Exploration and Analysis
• Unify machine + structured data to create 360 view of business
entities (customers, orders, transactions, etc).
• Enable Storytelling with Data
• Cross Organizational Silos
3

4. Copyright © 2014 Splunk Inc.
Analytics Ecosystem
4

5. Copyright © 2014 Splunk Inc.
Splunk Features for Advanced Analytics
Acceleration delivers fast analyticsAnalytics
Store
Lets non-technical users drag and drop to
construct charts, graphs and dashboards
Data Models add structure and meaning to
unstructured machine data
Data
Model
Pivot

6. Copyright © 2014 Splunk Inc.
Connectors to External Tools and Systems
Enables connections to external tools like Excel,
Tableau and other visualizations
Pull data from structured data sources like
RDBMS systems and APIs like SFDC
ODBC
Driver
DB
Connect

7. Successful Analytics
Projects

8. Intro to Personas
• Persona is a concept we use to define various user types in a Splunk
deployment.
• This is different than a Splunk role.
• Core IT personas (e.g. SysAdmins, Developers and Splunk Admins)
keep systems running, fix them when they break and plan for
capacity
• As your Splunk deployment grows out of Core IT…
Each business unit has their own set of personas
They have unique problems to solve and their preferred ways to interact with
or consume data

9. Building Data Science & Analytics Teams
There is no “one size fits all” data scientist. Data Science &Analytics teams
are made up of people with complementary skill sets.
Source: Schutt & O’Neil. Doing Data Science. 2013

10. Copyright © 2014 Splunk Inc.
Personas Requirements
As you encounter personas make sure you spend time collecting
their search and reporting and data requirements, but also pay
attention to the bigger picture.
• Gather Requirements (What is their Business Problem?)
• Get Relevant Data (Is the data they need in Splunk? What
other data helps answer their questions?)
• Build Searches/Datamodels
• Consume Results (Dashboards, visualization, 3rd party tools)

11. Developing for Business: Gather Requirements
• What is the question I’m trying to answer?
– What is their Business Problem?
– What department are we dealing with?
– Where do they fit in the organization?
– Who is the end user primary contact?
– Do they have a (trained) power user?
– Engagement/support model
 Self-service?
 Full change control/Formal requests?
 2 hour power session?

12. Developing for the Business: Get relevant data
• Where is the data that will help me answer the question?
• What are the relevant fields and what is the best way to
retrieve them?
• What data sources drive those constructs?
• Is the primary data in Splunk?
• Can I enrich Splunk data sources with external data feeds and
provide mash-ups?
• Should I be replacing legacy SQL queries with DBConnect?
• Should I index DBConnect data or just use it as a lookup?

13. Copyright © 2014 Splunk Inc.
Developing for Business: Searches/Datamodels
• What is the sequence of operations that convert my data into
the answer for my question?
• What Searches can they use to solve those problems?
• How do I constrain and audit user data access?
• How do I construct my search, build my datamodel, port my
SQL?
• Do I know where to get help?
– Splunk has Docs, Education, Support, IRC and Answers

14. Copyright © 2014 Splunk Inc.
Developing for Business: Consuming results
• Persona-relevant landing Dashboard
• Limit access to what they need to get the job done
– Time picker default timerange and limited options
– Form search
– Open in search vs open in pivot?
• Who will build and maintain the dashboards/datamodels?
• How do I construct my search, build my dashboards?
• How do they prefer to consume the results? Splunk? PDF? 3rd
Party Tool?
– Are we using the ODBC driver the right way?
– Returning search results vs exporting all data
• Who else would like access to these results? CIO? E-staff?

15. Advanced Analytics
With Splunk
(use cases and techniques)

16. Anomaly Detection & Clustering
•Anomaly Detection is one of Splunk’s most common use cases:
– Faster-than-humantransactions
– Intrusion & insider threat detection
– High-value customer purchase patterns
•Lots of solutions forAnomaly Detection:
– Clustering: cluster,kmeans,Event Patternstab
– AD: anomalies,anomalousvalue,outliers
– Alert on rate of statisticaloutliers (eg 5% → 15% triggers alert)
– Advanced threat detection (Enterprise Security)
•Integrate high-risk anomalies into incident review

17. Data Visualization
Data Viz:The creation and study of the visual representation of data.
•After processing, all data must be consumed:
– Machines can consume any kind of data
– People must visualize or listen to the data
•Splunk helps deliver actionable insights:
– Out-of-the-boxcharts & tables
– Easy-to-customizeD3 visualizations
– Drilldown & form inputs enable interactivity
Source: Satoshi’s Custom Visualizations app
https://splunkbase.splunk.com/app/2717/

18. Custom Viz: Sankey Chart
•Sankey charts illustrate flows through multiple stages
– You choose nodes & edges
•Lots of use cases:
– Customer paths through website
– Order tracking through system
– Any type of process flows
•Drilldown to go further:
– Why do these flows yield purchases?
– Which edges have high traffic?
– Where are the bottlenecks?
Nodes = stations. Edges = routes
Citibike data from:
http://www.citibikenyc.com/system-data

19. PredictiveAnalytics
Use predict to forecast time series into the future.
•Implements a Kalman filter
to identify seasonal trends.
– Best fit line & uncertainty envelope
•Lots of applications:
– Forecast revenue & other KPIs
– Estimate MTTR & server outages
– Dynamic baselining
– Capacity planning (AWSApp)
– Security threats (Enterprise Security)
•Remember: the future is always uncertain…

20. Demo

21. Growing beyond IT: Call to action!
• CIO and CDO care about Actionable Insights
• Build some Executive dashboards
• Crossing silos can be tricky
• Organization, communication,
documentation help immensely!

22. Next Steps
•Reach out to your localtechnical team!
– Your local Sales Engineers are happy to help
– Analytics SMEs are available for advanced use
cases
– Analytics Specialist team is available for
escalations
•We’ve got you covered. We’re here to help!

23. Thank You