2. 2
About
ClickBank
• Top
100
online
retailer
with
200
million
customers
• Sells
digital
products
worldwide
created
by
entrepreneurs
• Delivers
digital
lifestyle
products
to
customers
in
190
countries.
3. 3
About
Me
• Patrick
AncilloI
–
Director
of
Infrastructure
and
InformaKon
Technology
• Responsible
for
all
technical
services
for
operaKons
across
the
organizaKon
• Splunk
user
from
previous
roles
at
other
companies
Picture
or
other
graphic
here
4. 4
Before
Splunk:
Log
FaKgue
• Terabytes
of
logs
we
couldn’t
gain
insight
from
• Manual
process:
SSH
+
GREP,
remote
syslog,
duct-‐tape.
• Difficulty
communicaKng
info
to
non-‐technical
users
• Trying
to
get
info
from
logs
was
a
large
resource
drain
“Life
before
Splunk
was
basically
tons
of
logs,
tons
of
info
we
just
couldn’t
do
anything
with.”
6. 6
Choosing
Splunk
• Considered
both
Splunk
and
ELK
• Chose
Splunk
because:
– Lower
“honest”
maintenance
costs
– Faster
Kme
to
value
–
more
out-‐of-‐the-‐box
– ExisKng
Splunk
skills
on
the
team
7. Splunk
at
ClickBank
• Using
Splunk
for
YEARS,
but
in
a
Kny
capacity
(minimal
for
PCI)
• Deployed
major
installaKon
(all
new!)
in
November
2014
(Super
fast
Kme
to
online…
weeks,
not
months)
• Then,
everyone
started
using
it…
for
everything!
7
8. • Saving
Man
Hours
–
~1.5
engineers
• Lower
mean-‐Kme-‐to-‐resoluKon
MTTR
for
teams
far
and
wide
• Able
to
get
data
to
teams
around
the
company
in
an
easily
understandable
format
With
Splunk
“I
no
longer
have
to
give
any
developers
access
to
producKon.
They
just
log
in
to
Splunk
and
they’re
able
to
pull
searches.”
9. 9
Insights
into
Customer
Behavior
• Understand
product
usage
(Product,
and
Development)
• Real-‐Kme
exploraKon
of
customer
behavior
(even
while
on
the
phone
with
a
customer!)
• Insights
have
led
to
product
changes,
and
visibility.
“The
whole
business
is
using
Splunk
to
learn
customer
behavior
which
we
really
didn’t
have
a
way
to
do
before.”
10. 10
Splunk
for
DevOps
• Monitoring
deployments,
systems,
and
site
reliability!
• Logs
delivered
from
Dev/QA/
etc…
as
well
as
ProducKon
11. 11
Splunk
for
Security
&
Compliance
• Currently
going
through
our
PCI
audit…
oh
my!
• All
daily,
monthly
and
quarterly
PCI
reports
delivered
into
JIRA
for
acKvity/audit
reports
• Crazy
user
behavior
is
visible
now!
12. 12
Splunk
for
Dev/QA
• Dev
can
now
add
logs,
and
have
them
appear
in
Splunk
from
ProducKon!
• QA
can
look
at
logs
in
Dev/QA,
and
troubleshoot
earlier!
13. 13
When
we
knew
it’d
infected
us…
• That
moment
when
the
Product
VP
says
‘is
splunk
down?’,
and
he’s
the
first
person
in
an
office
full
of
users
to
noKce!
14. 14
How
we
did
it?
" Give
everyone
Splunk
Access!
(Even
if
they
don’t
need
it!)
– Point
people
to
self-‐learning
resources
– Share
best
pracKces
– Examples,
and
docs!
" Evangelize,
evangelize,
evangelize
You’ve probably never heard of us. I hadn’t until I started there, and it’s surprising the places that we popup.
Innovation-a-thons, snacks, 15 year old startup
Super technical team(s)
History in hosting, managed services, first non-hosting/MS gig.
Been at clickbank about a year
Splunk user in the past
People would ask ‘can you get me ‘x’ log’
Engineers would sit with other members of staff for hours getting logs turned into formats that were usable
You don’t need to be a genius to work out that it could be better?
ELK was winning because it was free, and we’ve got a big OpenSource community at the office
We had an honest review of how much it would cost in people time, as well as financial cost to deploy each
Loosing people time was more important than the cost to deploy (more engineers back to focusing on their jobs, and not logs, means more getting done!)
We used it for PCI in a tiny way
Deployed significantly larger installation, and online(d) in weeks, value was immediate
There’s not a day that goes by that I don’t hear at least 10 times ‘spluk this, or splunk that’
We gave everyone access, and as such, everyone can just look it up themselves
Our VP of product has become sort of the splunk sherlock holmes, and comes up with crazy user behavior, not bad, just nothing we would’ve expected
why would someone from turkmenistan be buying a book on pigeon feeding?
He’s also looking up customer behaviors while working with them on the phone, live!
When we identify bad behavior, we create reports that automatically report them
DevOps can now monitor logs from all servers and use searches and dashboards to ensure that releases go smoothly
Logs in QA/Dev/Production are all in the same instance, so we can easily compare searches between dev/production (they’re stored differently)
We release our legacy applications 1-2 times a week (if not more), you can imagine how much this helps?
All our PCI stuff is centered around splunk
Splunk is connected to JIRA, and is used to create reports, and daily functionality (security engineers just have to review jiras)
Constant searches for sensitive information, immediately notifies us of bad juju
Dev can now create logs in dev, add things to help them triage, and have them appear within the next release
Dev/QA can review logs in Dev, and across dev instances to confirm fixes/breakage
More stable releases!
I’d stand in the breakroom and have someone mention “did you see that splunk search I sent you”
I’d have the team wonder over to ask questions, and I’d have random folks send me splunk searches to show me things
Innovation-a-thon’s included splunk!
Give everyone access
Have a great scaling plan
Plan to buy more than you need
Plan to buy more hardware than you need
Splunk lets you deploy cheaply, use it!