November 2021 Splunk PNW User Group

© 2021 SPLUNK INC.
.conf21
Best of the Best
04 November 2021 PNW Splunk User Group

This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results, performance
or achievements to be materially different from results, performance or achievements expressed or
implied by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described, in beta or in preview (used interchangeably), or to include any such feature
or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.
Forward-
Looking
Statements

© 2021 SPLUNK INC.
Agenda
Topic Speaker Organization Start End
Welcome Scott Elam Undisclosed Bank 11:00am 11:05am
.conf21 Product Announcement Recap
Ray Clearwater
Rob Hout
Joshua Marsh Splunk 11:05am 11:20am
How T-Mobile Increased Splunk User Proficiency (Across 7,800
Users!) With a World-Class Center of Excellence
John Isenhart
Rob Hout
T-Mobile
Splunk 11:20am 11:50am
Best of SOAR sessions Han Lievens Splunk 11:50am 12:20pm
Workforce Analytics To Improve End-User Experience and
Performance Ray Clearwater Splunk 12:20pm 12:50pm
Wrap-up Josh Hritz Arcus Data 12:50pm 1:00pm

© 2021 SPLUNK INC.
Key .conf21
Announcements

© 2021 SPLUNK INC.
Splunk Data Manager
Splunk Data Manager (Preview) is a modern, simple, and scalable GDI experience for automated cloud data source onboarding in Splunk
Cloud Platform
(Preview)

© 2021 SPLUNK INC.
Ingest Actions
Ingest Actions is a feature for routing,
filtering, and masking data while it is
streamed into your indexers. Each data
transformation is expressed as a rule. You
can apply multiple rules to a data stream, and
save the combined rules as a ruleset.
Use the Ingest Actions page to dynamically
preview and build rules, with indexed data as
sample data. Apply the ruleset to your data
by deploying the ruleset from the indexer
cluster manager.
(Preview)

© 2021 SPLUNK INC.
Ingest Actions
(Preview)

© 2021 SPLUNK INC.
Flex Index and SmartStore for Azure
For Splunk Cloud Platform customers, our
new Flex Index allows for cost-effective
ingest, search, and storage for lower value
data that may have long retention periods
and is used primarily for historic forensic
investigation and compliance queries.
And, for our self-managed platform
customers running Splunk Enterprise in
MSFT Azure we have added SmartStore
support (Preview), allowing Splunk Azure
customers to grow to even larger scales
while controlling storage costs.
(Preview)

© 2021 SPLUNK INC.
Workload Pricing
Workload Pricing, already available to many
Splunk Cloud and on prem customers, has been
expanded to be available for all Splunk Cloud
Platform customers. With Workload pricing, you
can gain ultimate flexibility and control over your
data and costs. No longer do you pay for the
data you ingest, but instead for what you want to
do with that data, and the corresponding value
received.
We’ve also made workload pricing easier to
manage within the Cloud Management Console,
introducing a series of dashboards that allow you
to analyze and optimize your Splunk Virtual
Compute (or SVC) usage by a variety of factors
including source type, scheduled or ad hoc
searches, apps context, and users.
Available to all Splunk Cloud Platform Customers

© 2021 SPLUNK INC.
Victoria Experience
We are excited to introduce the Victoria Experience for greater scalability and
performance. With the Victoria Experience in Splunk Cloud Platform, customers
gain the ability to:
● Dynamically scale from low gigabytes to greater than 1 petabyte per day in
ingest volume
● Access instant value from greater than 99% self-service installable apps
Victoria experience is currently available for 45% of our cloud customers and
growing every day, giving users the ability to truly scale and customize for their
unique needs.

© 2021 SPLUNK INC.
Federated Search
Federated search, released earlier this year, continues to expand your reach across your
data, wherever it lives.
What is federated search?
Federated search provides the capability to execute a unified search across multiple Splunk
environments (including Splunk Cloud and On-premise) providing a true federated search
experience.
This includes the ability to:
● Run ad-hoc and scheduled searches
● Initiate searches from one Splunk environment to multiple Splunk environments
● Manage security requirements across environments with role based data access
controls
● Leverage WLM to configure resources for federated searches
● Configure and setup with a self-service user interface
● Talk to your account team for further details

© 2021 SPLUNK INC.
Dashboard Studio
In addition to advances in Search, we know that
having relevant, actionable data at your fingertips
is what can set your company apart from the
rest.
With Dashboard Studio, now available for Splunk
Mobile, we are also making it easier for you to
share compelling insights and take action from
anywhere.
Now available for Splunk Mobile

© 2021 SPLUNK INC.
Customize
Splunk

© 2021 SPLUNK INC.
All new Splunkbase
It is now easier than ever to quickly find
new ways to use and extend Splunk
with enhanced categories, as well as
curated Collections of purpose-built
apps for a variety of use cases.
Preview

© 2021 SPLUNK INC.
Improved Splunk Operator for Kubernetes
Splunk Operator for Kubernetes allows
you to quickly and easily deploy Splunk
on your choice of private or public cloud
provider. The operator simplifies the
scaling and management of Splunk by
automating workflows while
implementing Kubernetes best
practices.
With streamlined installation and
administration, you can easily bring
Splunk to any part of your organization!

© 2021 SPLUNK INC.
Admin Config Service (ACS) enhancements
The Admin Config Service (ACS) is a cloud-native API that provides programmatic self-service
administration capabilities for Splunk Cloud Platform. Splunk Cloud Platform administrators can
use the ACS API to perform common administrative tasks without assistance from Splunk Support.
The ACS API lets you:
● Configure IP allow lists
● Manage HTTP Event Collector (HEC) tokens
● Manage indexes
● Manage private apps and add-ons
Applicable to Splunk Cloud Platform customers

© 2021 SPLUNK INC.
● Enterprise Security Cloud
● Executive summary dashboard to
surface KPIs that provide insights
into the overall health of your SOC
○ Mean Time to Triage
○ Mean Time to Resolution
○ Investigations Created
○ Risk Based Alerting Trends
● Security operations dashboard
● Cloud security monitoring dashboard
Splunk for Security
Executive summary dashboard

© 2021 SPLUNK INC.
● Behavioral Analytics for Security Cloud (preview)
● Splunk Security Essentials
● Splunk SOAR
○ Apps now available on Splunkbase
○ New App Editor makes it easy to view, test, extend and edit existing apps or create new apps
from the SOAR user interface
○ Visual Playbook Editor
● TruSTAR renamed to Splunk Intelligence Management
● SURGe
○ SURGe is team of Splunk security experts, threat researchers and advisors dedicated to researching, responding to and educating
about the threats that impact the world. We provide security teams with timely research, technical guidance and tactical
recommendations on how to detect, investigate and respond to cyberattacks.
Splunk for Security

© 2021 SPLUNK INC.
Conf Partnership Announcements
Several Notable New Partnerships Highlighted
● Zscaler
● DTEX
● Mandiant

© 2021 SPLUNK INC.
Zscaler Integrations
https://www.splunk.com/en_us/partners/solutions/zscaler.html
Doc Guide from Global Strategic Partnership Page
SOLUTION BRIEF
Zscaler and Splunk for Security
BLOG POST
Splunk and Zscaler Utilize Data and Zero Trust to Eradicate
Threats
PARTNERSHIP VIDEO
Splunk and Zscaler Utilize Data and Zero Trust to Eradicate
Threats
PRESS RELEASE
Zscaler Advances Zero Trust Security for the Digital Business
Disrupting Decades of Legacy IT Security and Networking
Models
DEPLOYMENT GUIDE
Zscaler and Splunk | Deployment Guide
SPLUNKBASE APPS
Zscaler Splunk App
Zscaler Technical Add-On for Splunk

© 2021 SPLUNK INC.
DTEX
Workforce Cyber Intelligence & Security

© 2021 SPLUNK INC.
Mandiant
Threat Intel, Security Validation, and Incident Response

© 2021 SPLUNK INC.
Observability
and ITOps

© 2021 SPLUNK INC.
Preview the Splunk Observability
integration with Splunk Enterprise via
Splunk Log Observer.
○ Use the Log Observer interface directly within
Observability Cloud and access data you’re
already sending to your existing Splunk
instances.
○ If you are a Splunk Enterprise customer who
has Splunk Infrastructure Monitoring, Splunk
APM, or Splunk Observability Cloud licenses,
you can leverage Splunk’s intuitive Log
Observer Interface at no extra cost, and usually
without having to write any new SPL.
Splunk for Observability and ITOps
Observe Any Environment with Deeper Integrations and Expanded Use Cases

© 2021 SPLUNK INC.
AlwaysOn Profiling in Splunk APM
(preview) provides visibility of code-level
performance, linked to trace data, in order
to troubleshoot production issues faster.
Preview: AlwaysOn Profiling in Splunk APM

© 2021 SPLUNK INC.
With the general availability of Splunk RUM for
Mobile Apps, we’ve added end-to-end visibility of
native mobile apps to help monitor and deliver
great customer experiences on iOS and Android.
Splunk RUM now supports both web browsers and
mobile apps, with end-to-end tracing to backend
services, to get you the complete picture of the
end-user experience.
With significant momentum planned for Splunk
Synthetic Monitoring, we continue to deepen
Splunk’s digital experience monitoring capabilities
with extended full-fidelity visibility to help you
deliver a great customer experience.
Splunk RUM for Mobile Apps and Splunk Synthetic Monitoring

© 2021 SPLUNK INC.
Splunk Observability Mobile enables on-
call SREs and developers to access
critical Observability Cloud dashboards
and alerts on the go.
● Intuitive visualizations
● Better understand alert details from
your Apple or Android phone
● View real time dashboards
● Mobile access is included with any
Splunk Observability Cloud license
Splunk Observability Mobile

© 2021 SPLUNK INC.
● AutoDetect (preview) in Splunk Infrastructure
Monitoring automatically discovers infrastructure
anomalies and intuitively incorporates alert status
into dashboards
○ high container restarts
○ pods remaining in pending status and intuitively
incorporates alert status into dashboards
● Splunk App for Content Packs acts as a one-stop
shop for prepackaged content to address common
monitoring and troubleshooting use cases in our IT
Service Intelligence (ITSI) and IT Essentials Work
products — including new Content Packs for
managing Microsoft 365, Third-party APM tools and
Synthetic Monitoring
Free Out-of-the-Box Capabilities for Faster Time to Value
● We will continue our leadership and contributions to
OpenTelemetry with the donation of the eBPF
Collector.
○ Based on the technology acquired last year
from Flowmill, the collector enables network
observability for modern cloud applications.
Specifically, the eBPF Collector allows accurate,
complete models of cloud network
dependencies and service health to be built
without any changes to code or container
images.
○ Learn more

© 2021 SPLUNK INC.
u didn’t
.conf21
enuf??

© 2021 SPLUNK INC.
Uplevel your knowledge FAST
● PLA1264B - Best Practices and Better Practices for Admins
● PLA1266A - Reimagine Data Visualization with Splunk Dashboard Studio
● TRU1133B - Clara-Fication: More Tstats for Your Buckets
● S4U1796C - Data-Driven Enhancements: How Splunk Ideas Leverages the Power of the Splunk Platform To Connect
Product Managers With Customers and Context
● ITO1330B - How To Get Stakeholders Standing in Line for Dashboards: Chipotle’s Digital Journey Using Splunk
● PLA1373A - How T-Mobile Increased Splunk User Proficiency (Across 7,800 Users!) With a World-Class Center of
Excellence
● PLA1264B - Best Practices and Better Practices for Admins
● TRU1112B - Administrators Anonymous: Splunk Best Practices and Useful Tricks I Learned the Hard Way
● TRU1053B - Dashboarding Wowzas! Top Tips for Making Your Dashboards Awesome
● PLA1327B - Advanced Scheduling with Splunk to Help Ensure Your Searches Run, Succeed and Cover All Data
● PLA1753A - Sneak Peek of the All New Search and Dashboard Experience That Will Dramatically Enhance Your Time to
Insight
● TRU1713B - Now They See It, Now They Don't: Role Based Access Controls and Data Filtering in Splunk
If you oversee a core Splunk deployment, you want to watch these :)

© 2021 SPLUNK INC.
Not to be missed!
Security Sessions
● SEC1396C - Level Up! How To Go From a Beginner to a Champion in Splunk Security
● SEC1162A - Supercharge Your Risk Based Alerting (RBA) Implementation
● SEC1271A - What's New in Splunk Enterprise Security?
● SEC1163A - Proactive Risk Based Alerting for Insider Threats
● SEC1701C - Turbocharge Splunk SOAR and SIEM Investments With TruSTAR Intel Workflows
● SEC1301C - Splunk SOAR: Automation for the Modern SOC
● SEC1590C - Augmented Case Management With Risk Based Analytics and Splunk SOAR
● SEC1745C - Hunting the Known Unknown: Supply Chain Attacks
● SEC1742C - SIEM, SOAR and XDR...Which One?
● SEC1166C - Modernizing Security Operations With Splunk Security Maturity Methodology (S2M2)
● SEC1332C - Splunk Enterprise Security Biology V: A Fresh Look at the Threat Intel Framework
● SEC1108C - Enabling DevSecOps and Securing the Software Factory With Splunk

© 2021 SPLUNK INC.
BOTS
● Registered Users = 2426
● Splunkers Involved = 88
● Registered players who answered a
question = 60%
● Total Answers Submitted = 56,119
● Correct Answers = 29,686 (53%)
BOTS and BOO .conf21
BOO
● 13,396 Answers Submitted
● 7,420 Correct Answers
● 600 Registrants
● 1100+ Twitch Views
● 3 realtime outages played during each
game
Session 1 and Session 2 Global Representation

© 2021 SPLUNK INC.
Getting Started with Splunk for Security
New on-demand security workshop delivery platform
https://bots.splunk.com

© 2021 SPLUNK INC.
Encore
Presentations

© 2021 SPLUNK INC.
With a World-Class Center of Excellence
T-Mobile
How T-Mobile Increased Splunk User
Proficiency (Across 7,800 Users!)
John Isenhart
Splunk
Rob Hout

© 2021 SPLUNK INC.
Increase Splunk
User Proficiency
Through Center of
Excellence
PLA1373A
John Isenhart
Principal Engineer | T-Mobile
Robert Hout
Senior Solutions Engineer | Splunk

© 2021 SPLUNK INC.
John Isenhart
Robert Hout

© 2021 SPLUNK INC.
Agenda
How T-Mobile Increased
Splunk User Proficiency
(across 7800 users) with a
World-Class Center of
Excellence
1)The calm before the storm
Optional brief description
2)What happens when users go bad
3)User identification
4)User maturity grading
5)Enablement/Engagement feedback loop

© 2021 SPLUNK INC.
Let’s talk about users!
It was nice when...
• All the users in an environment were advanced Splunk admins/experienced users
• One could predict workloads and understand when peaks would occur
• Onboard new users and their data with little trouble
However, time moves on, and your environment organically grows…
• Suddenly the environment balloons with new user demands
• Performance is often hampered by unpredictable workloads
• Data growth is beyond what one can successfully onboard

© 2021 SPLUNK INC.
Speaking
of users…
Meet Sean
Sean was a new somewhat
inexperienced user excited
about the prospect and what
could be done with Splunk. As
such, new dashboards were
created that, as can be seen
here, had a massive impact on
a self-service platform.

© 2021 SPLUNK INC.
Data
Lakes
Master Data
Management
ETL
Point Data
Management
Solutions
Data
Silos
Assess
Measure
Improve
Measuring Reality
(Customer Experience Framework)
Assessing Perception
(Net Promoter Score - NPS)
Action Engine
(Center of Excellence)
Service
Excellence

© 2021 SPLUNK INC.
Closing the Loop
+
Improvement Targets
1. Technical performance
Improvement
2. User maturity improvement
3. New use-case onboarding
Self-service content
+
Baseline Re-Assess
Identify
Improvement
Action
Docs &
Videos
Office Hours & On-Demand
Percep = Platform is slow
Reality = Poor search hygiene
Identify top offending users
Match user Maturity Rating to
Content Rating and deliver
Looking for increase in
Maturity Rating
Training &
Workshops
Scenario 1
Percep = Lack of value
Reality = Low usage/Data/
KOs
Identify top inactive users
in target Business Area
Match Business Area use-case
to user groups
Looking for increase in
user activity, KO
creation, Data ingest,
etc
Scenario 2

© 2021 SPLUNK INC.
The Details:
How it all
works

© 2021 SPLUNK INC.
Service
Quality

© 2021 SPLUNK INC.
Service
Quality
User Experience Score
Performance Availability Proficiency
Total
Search
Count
Aggregate
Row Scans
Search
Execution
Time
Searches
Exceeding
5-Minute
Completion
Incomplete
or Failed
Searches
Search
Result
Count
Per-User
Search
Maturity
Score
Search
Efficiency
(Rows per
Result)

© 2021 SPLUNK INC.
Proficiency
Value &
Adoption
User Maturity
Rating

© 2021 SPLUNK INC.
Center of
Excellence
Current
Version Org
Score Elements
Organization
Maturity Score
Business Impact Realized Value Proficiency
Org-owned
index
average crit
rating
Splunk
User
Adoption
Org-owned
Data usage
Per-User
Search
Maturity
Score

© 2021 SPLUNK INC.
CoE - Proficiency & Adoption

© 2021 SPLUNK INC.
CoE - Value & Adoption

© 2021 SPLUNK INC.
CoE - Integrate to the Training

© 2021 SPLUNK INC.
CoE - Maturation Matrix
Maturity Model ⇒
Assessment Category
L1: Awareness and Ambition L2: Established and Measured L3: Optimized and Continuous Improvements
Splunk Proficiency Low
● Lack of or few in-house Splunk experts
● Low User Proficiency Score
● None certified by Splunk
Medium
● Few to several in-house Splunk experts
● Moderate User Proficiency
● Some certified by Splunk
High
● Many Splunk experts partnering with
Splunk CoE
● High User Proficiency
Realized Value Low
● Daily Ingest rate vs Search count
● Low adoption rate (total unique Splunk
users per month / FTE count by Director)
Medium
● Moderate adoption rates
High
● High adoption rates
Business Impact ● Low to moderate reliance on Splunk
● Type of data assets: SOX, PCI, CPNI etc.
Federated data, Cybersecurity, Network
data
Moderate to high reliance
● Business critical / moderate-high
priority data assets
High reliance on Splunk
● Business critical / High priority data
assets
Recommended Actions by
Importance & Urgency (based
on team scores)
● Take advantage of On-Demand Training
● Enhance User Adoption
● Access Data / Insights that matter
● Leverage Online Resources
● Participate in User Forums
● Prioritize Advanced On-Demand
Training
● Develop Resident Experts
● Contribute in User Forums
● CoE Partnerships / Co-create Models
● Consider Splunk Certification
● Prioritize Advanced On-Demand
Training
● Grow Partnerships / Co-create Models
● Expand ML Use Cases and Studio
● Share Expertise / Feedback to CoE
● Support User Forums

© 2021 SPLUNK INC.
CoE - Maturation Matrix

© 2021 SPLUNK INC.
Here’s What You Need to Get Started
● HR Feed, embedded per-user management chain all the way to the top!
● Index Ownership establish index criticality
● Search Term weighting list
● Search Activity App data set: Can be assembled from elsewhere
○ Needs: actual search text and event/row scans, result scans, search exec times
● _introspection data set for service quality

© 2021 SPLUNK INC.
Contact Information
John Isenhart
john.isenhart1@t-mobile.com
Robert Hout
rhout@splunk.com

© 2021 SPLUNK INC.
Thank You
SESSION SURVEY
Please provide feedback via the
SESSION SURVEY
Please provide feedback via the

© 2021 SPLUNK INC.
Recap: SOAR sessions
Han Lievens
Splunk

© 2019 SPLUNK INC.
Best of .conf21 -
SOAR
Han Lievens, Senior Consulting Security Engineer
11/3/2021

© 2019 SPLUNK INC.
SOAR Much?
• Phantom is now Splunk SOAR
• 32 sessions!
• Not just Security – IT Ops too
• More cloud-based use cases
• Tighter integration with Risk Based Alerting and Response

© 2019 SPLUNK INC.
Use Cases
- SEC1194A
- SEC1590C
- SEC1166C
- SEC1508A
Case
Management
- SEC1301C
- TRU1636B
- SEC1166C
- SEC1745C
SOC
Automation
- SEC1440A
- SEC1162A
- SEC1163A
- SEC1546A
Risk-Based
Response
- ITO1185B
- PLA1129C
- ITO1391B
- ITO1254B
IT Ops
- PLA1314A
- PLA1277B
- PLA1468A
- ITO1254B
Mobile

© 2019 SPLUNK INC.
Tackling
Account
Management
Within the
Cloud (AWS,
Azure and GCP)
with Splunk
SOAR
SEC1528C

© 2019 SPLUNK INC.
Augmented Case
Management with
Risk Based
Analytics and
Splunk SOAR
SEC1590C

© 2019 SPLUNK INC.
Honorable
Mention:
DoH or DoH Not,
There is no Try.
SEC1495C

© 2019 SPLUNK INC.
What’s SOARing?
- Splunk SOAR can now be a SAAS solution!
- Faster time to value
- Simplified operational overhead
- Increase security agility without sacrificing performance
- Have you seen the new Visual Playbook Editor in v. 5.0?
- Vertical UI, wider blocks for descriptions, labels and filters
- UI-based config options for playbook APIs
- Input and output parameters supporting modular playbook design
- Mission Control SOAR integration coming early next year!

© 2021 SPLUNK INC.
Workforce
Analytics
Ray Clearwater
Sr. Solutions Engineer | Splunk
To Improve End-User
Experience and Performance
ITO1150C

This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results, performance
or achievements to be materially different from results, performance or achievements expressed or
implied by the forward-looking statements contained in this presentation.
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
This presentation may contain forward-looking statements regarding future events, plans or the expected
financial performance of our company, including our expectations regarding our products, technology,
strategy, customers, markets, acquisitions and investments. These statements reflect management’s
current expectations, estimates and assumptions based on the information currently available to us.
These forward-looking statements are not guarantees of future performance and involve significant risks,
uncertainties and other factors that may cause our actual results, performance or achievements to be
materially different from results, performance or achievements expressed or implied by the forward-
looking statements contained in this presentation.
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the
Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov.
The forward-looking statements made in this presentation are made as of the time and date of this
presentation. If reviewed after the initial presentation, even if made available by us, on our website or
otherwise, it may not contain current or accurate information. We disclaim any obligation to update or
revise any forward-looking statement based on new information, future events or otherwise, except as
required by applicable law.
change at any time without notice. It is for informational purposes only and shall not be incorporated into
any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other
countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.

© 2021 SPLUNK INC.
● Splunk Strategic Accounts - Pacific Northwest
● Lives near Portland, Oregon
● US Navy Veteran - Joint Task Force Operations
Iraq-Kuwait
● Sun Labs Alumni
● Technology Evangelist on Digital Workspace and
End User Computing Strategies (over 100 speaking
engagements)
Sr. Solutions Engineer
Ray Clearwater

© 2021 SPLUNK INC.
Agenda 1)Introduction - Workforce Analytics
A Data-Centric Workspace
2)User Experience
Engage The Workforce
3)Digital Workspace Technologies
Protocols, Apps, Infrastructure and Humans
4)Data as the Enabler
Gather, Correlate, Analyze
5)Experience Scoring
The Proactive Approach

© 2021 SPLUNK INC.
What is Workforce
Analytics?
A proactive data strategy that
provides a comprehensive
view of your organization's
technology consumers
designed to interpret historic
trends and create predictive
models that lead to insights
and better decisions in the
future.

© 2021 SPLUNK INC.
Why Workforce Analytics?
36% of respondents
working from home state
that their internet connection
is slower than in the office.
statista 2021
Globally only 20%
of employees are
engaged at work.
Gallup 2021
A data-centric approach to improving user experience

© 2021 SPLUNK INC.
Employee turnover
“In the aftermath of 2020,
employee quit rates are
reaching record highs…
74% are either actively
looking for new
employment or watching
for openings.”
https://www.gallup.com/workplace/352949/employee-
engagement-holds-steady-first-half-2021.aspx
What Happens if We Don’t?
Employee disengaged
“Disengaged workers
have a 60% higher rate
of general errors. And
disengagement costs the
U.S. economy $550
billion per year.”
https://resources.achievers.com/resources/the-true-
cost-of-employee-disengagement
Productivity loss
“Workers report losing
an average of 22
minutes per workday
due to issues related to
technology”
https://www.prnewswire.com/news-
releases/wasted-workday-employees-lose-
over-two-weeks-each-year-due-to-it-
related-issues-300239058.html

© 2021 SPLUNK INC.
As organizations blur the
lines between in-house
and consumer
applications, we should
treat employees like
customers.

© 2021 SPLUNK INC.
When the Workforce is Engaged...
“...for companies
who know how to
build a positive
work culture
Financial
Success
...engaged
companies have
five times higher
shareholder
returns over five
years
Shareholder
Return
41 percent lower
absentee rates,
and between 25
and 59 percent
less turnover
Employee
Turnover
fewer employee
safety incidents
Safety
Issues
Higher quality
products with
28% less
shrinkage
Defects
40%
less
2x
https://www.achievers.com/blog/6-mind-blowing-stats-employee-engagement/ https://www.business2community.com/strategy/roi-employee-
engagement-7-stats-need-know-01573138#aScHbZZd3b8ktyY5.97
5x 59%
less
70%
fewer

© 2021 SPLUNK INC.
Large Fintech
● 80,000 virtual desktops + physical end-clients for ~65,000 employees
● Three FULL data centers
● Logons took 5-10 minutes
● Supporting technology 8-10 years old
● Entire company had negative perception of Desktop Operations
● MANY workarounds in place, constant shift
Chasing their tails

© 2021 SPLUNK INC.
Large FinTech
$9B
Revenue
10%
Missed orders due to
operational latencies
5%
Loss of income due
to missed
opportunities
$45M
Potential income loss
“How much is lack of visibility and action costing your business?”

© 2021 SPLUNK INC.
What we
Did...
● SplunkApp UA
Agent
● Splunk Universal
Forwarder
● Tested and proven
in lab first
● Deployed to sample
group, then to 5k
traders, admins and
operations staff

© 2021 SPLUNK INC.
What Did we Learn?
● IT Operations created false baseline
● “Heisenbug-like” scenario with Nagios acting as observer
● Finger-pointing at OS and application vendors was slow and
painful
● Top-down visibility was key to sifting through egos
– Dashboards beat spreadsheets EVERY time
● Modern technologies increase density and reduce latency
● Reduce to one data center capacity
– Facilities savings alone would pay for modernization

© 2021 SPLUNK INC.
All things Considered
What does good look
like?
● End-to-end visibility
● What’s the trend?
● Need to know
downstream effect
● Ever-changing
Are all problems
equal?
● What to prioritize?
● When to take action?
● How much detail do I
have?
● Recognition vs.
resolution
● Who owns the
resolution?
Are all user
experiences equal?
● Internal/external
● Who and how many
● High-risk/exposure
Questions we need to ask

© 2021 SPLUNK INC.
Display protocols
Network
App delivery
Network
Network
Load Balancer
User/Profile data
Image
management
Devices
Browser
Agents
• Complex - this isn’t easy and
is seldom changed once
working
• Competitive - Vendors
compete for lock-in based on
proprietary protocols
• Cloudy - Cloud not for every
workspace
The Digital Workspace
Elements and process
Agents
GPU
MONSTER!!!

© 2021 SPLUNK INC.
Supporting Technologies
Display Protocols
● Citrix HDX
● VMware Blast
● Teradici PCoIP
● Microsoft RDP and
RemoteFX
● GPU
● Browser type
● End-client
● Industry specific
Networks
● Local Area Network
(LAN)
● Wireless Local Area
Network (WLAN)
● Campus Area
Network (CAN)
● Metropolitan Area
Network (MAN)
● Wide Area Network
(WAN)
● Storage-Area
Network (SAN)
App Delivery
● Citrix App
Layering(XenApp)
● VMware ThinApp
● VMware App
Volumes
● Application
virtualization
● Application layering
● Application
streaming
User Data
● Local
● Application specific
● Preferences
● Profiles
● History
● Recovery
● Infrastructure
● 80/20 rule
“Oh yeah...and make it secure”

© 2021 SPLUNK INC.
What’s Broken?
Browser
Session
Broker
Client
Devices
Network
Cloud
Geopolitical
Staff
Apps and
Services
Latency is the #1 symptom of an underlying or developing problem
One of the biggest blindspots in troubleshooting user experience is the
lack of correlation.

© 2021 SPLUNK INC.
Data Improves the Experience
Correlate Resources
Where is the problem?
● Applications
● Microservices
● Multi-cloud
● Sessions
● Infrastructure
Gather Metrics
Do I have a problem?
● Startup/shutdown
● Logon
● Session
● Capacity
● Inventory
● I/O
Analyze Logs
Why did it occur?
● Session broker
● Application error
● End-client
● Network outage
● App/OS upgrade
● License violation
The what, where and why

© 2021 SPLUNK INC.
User Experience Scoring
● Calculate and visualize
experience scores for the
entire EUC ecosystem
● Drill-down data by category
and component
● Highlight trends on resources
where potential issues are
originating from

© 2021 SPLUNK INC.
Let’s drill in
Machine Score Trending Down
● Machine score: quality indicator for machine performance and health
● User session score: quality indicator for user session performance and health
● Application score: quality indicator for application performance and health

© 2021 SPLUNK INC.
Let’s check the Stop Errors (Blue Screen &
Power Loss) dashboard.
We see the machines or end-clients
experiencing the stop errors.

© 2021 SPLUNK INC.
● Tells you everything relevant to user
experience
● Helps you identify trends that otherwise would
have gone unnoticed
● Simplifies troubleshooting by showing you
what you need to know in one place
● Monitors which applications are used when
● Makes help desk and IT operations more
effective
● Increases employee engagement
● Data correlation is key to performance at
scale
● Enriches data vital for information security
A Proactive
Approach to
Operational
Intelligence
for the
Digital
Workforce

© 2021 SPLUNK INC.
Thank You
To the team at Vast Limits & uberAgent Thank you to:
Eric Merkel for encouraging me to host this session
Amanda Richardson for blocking and tackling while
I put this together

November 2021 Splunk PNW User Group

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to November 2021 Splunk PNW User Group

Similar to November 2021 Splunk PNW User Group (20)

Recently uploaded

Recently uploaded (20)

November 2021 Splunk PNW User Group