About ExxonMobil and Geoffrey Martins Why Shared Service? The Four Major Challenges Final Unified Network Next Steps Takeouts on how to build a successful Shared Service Q&A

1. Splunk> CSI:Logfiles
Splunk as a Shared Service
Geoffrey Martins
Global Splunk Architect - ExxonMobil

2. 2
Agenda
About ExxonMobil and Geoffrey Martins
Why Shared Service?
The Four Major Challenges
Final Unified Network
Potential Next Steps
Takeouts
Q&A

3. 3
Largest International Oil & Gas Company in the World
75.000 employees worldwide
Presence in 100+ countries
2014 Numbers
– Gross Income: 411 Billion Dollars
– Net Income: 32 Billion Dollars
Worldwide support center in Brazil – Curitiba-PR
– 1200 employees
– 800 in IT only!

4. 4
Geoffrey Martins
Splunk Architect in Analytics E&D
– Live in Curitiba, Brazil;
– 8 years with ExxonMobil;
 .Net Developer
 SAP BW Consultant
– Masters Degree in Computing Sciences
– PhD student at UFPR

5. 5
Why Shared Service?
• Scenario by end-2013
• Splunk first brought to the company in
2012
• Several independent Splunk networks for
different departments
• Compartmentalized information
• Duplicated data ingestions
• Divergent reports coming from different
instances
• Separate support teams and separate
development teams.
• No standardization between instances.
• No Dev/Sandbox environment.

6. 6
Why Shared Service?
• Challenge: Single Worldwide Splunk
Network
• Aim for a single Splunk network
• Explore Splunk’s main advantage: Data
sharing and collaboration
• Optimize data acquisition, no duplicates.
• Standardize development and developers,
all working in a single direction.
• Make developers aware of each other
• Share code, share ideas.
• Unify user base
• Unify support

7. 7
The Four Major Challenges:
> Unify Infrastructure
> Single User Base
> Solid Support Team
> The Massive Data Unification

8. 8
Unify Infrastructure
Gather all licenses in a single licensing server
Expand presence to all continents
– Concentrate and transform data closer to the origin.
– Indexers in Asia and Europe
– Forwarders in Asia, Europe, Africa and South America.
Add power to Search Heads
– Move from totally separate search heads to two main Search Head Clusters:
 General Purpose
 CyberSecurity-Exclusive
Create a real region-based structure
– Store data closer to origin.
– Smaller transfers between sites.

9. 9
Unify User Base
Identify existing power users and form new ones
– Create a real community of Splunk power users
– Establish rules to form power users.
 Attend to three official Splunk courses
Establish a ownership process for data and apps
– Each index must have a data owner
– Each app must have an owner and a responsible power user.
Establish periodic power user meetings
– Power Users know what each other is doing
– Opportunity to showcase apps, questions help.
– Exchange of ideas, use cases, etc…

10. 10
A Solid Team Supportability Team
Centralized in one single IT team
Mix of In-House Apps and Splunk-provided solutions
 In-house developed app for real-time health monitoring (Uber Admin)
 Splunk and 3rd party apps for network and Universal Forwarder management.
– Distributed Management Console and SOS
– TA-ForwarderQuery
– FireBrigade, Deployment Monitor, UtilizationMonitor…
Train a support team and integrate into the community
Facilitate access to support and Splunk administrators

11. 11

12. 12

13. 13

14. 14

15. 15
A Solid Development Environment
Creation of a Development Network
– 1 Search Head, 2 Indexers, 2 heavy forwarders.
– Exclusive to Power Users and Admins
– Change management process:
 All development on dev network.
 Once app reach production quality, Admins move it to the production network.
 Exclusive allocation reserved to the Dev network.
Sandbox Environment
– Single all-in-one server
– No-man’s land, everyone can do anything
– Area open for experiments/prototypying
– Useful to state if Splunk is the right solution for the data.

16. 16
The Massive Data Unification
Bring all indexers together in a single indexer layer
– Document content of all indexes and make them visible
– Make users aware of all data available to them
 Each department can benefit from data coming from other departments.
 The main cause for load duplication is UNAWARENESS of data.
– Only segregate data when necessary. Keep data Free!
 Company has strict rules for management and protection of information.
 Candidates for segregation: Private and/or Proprietary data.
Leverage Distributed Capabilities of Splunk!
– Position your Indexers/Search Head strategically
– Know your data!
– Splunk runs on commodity hardware. Put it to use!

17. 17
The Final Unified Network
4-node General Purpose SHC
1 Segregated Search Head
3 Deployment Servers
1 Licensing Server
30 Indexers:
Most in US, Some in Europe and
Asia
22 Heavy Forwarders
All major sites, including Africa and
South America
~6000 Universal Forwarders
October: All 15.000 Servers

18. 18
Potential Next Steps
Splunk Mobile App
– Bring Splunk Accessibility to ALL Company Devices
Splunk MINT
– Mobile Intelligence for In-House iOS Apps
Hunk
– Proof of Concept for Hadoop

19. 19
Take-outs on a Successful Shared Service
Leverage your power users, make them known
– Awareness of each other is the key
– Your power users are your greatest resource
Unify your network, make your data visible
– Invest in documentation, know your data!
– Bring all your data together, avoid segregation unless necessary
– A development environment gives freedom and protects your Splunk network.
Keep a close eye in your network
– Monitoring can let you find problems before they happen!
– Splunk has superb monitoring capabilities: USE THEM!
– Resiliency is cheap and essential. Be prepared.
– Take retention periods very seriously!

20. Questions?
2