Razi Asaduddin presented on how ExxonMobil uses Splunk for various purposes including cyber security, network and application performance monitoring, and capacity planning. Some key points included how Splunk has allowed ExxonMobil to gain visibility and insights across data that was previously siloed, and how their use of Splunk has evolved from one-dimensional searches to multi-dimensional pivoting and visualization. Razi also shared best practices like starting with simple questions and gradually building complexity, as well as methods for policing Splunk usage within the organization.

1. Copyright © 2014 Splunk Inc.
July 15th, 2014
ExxonMobil Splunk
Razi Asaduddin
Cyber Security Advisor &
Splunk Shared Service Team Lead
July 15th, 2014

2. 2
About ExxonMobil Corp
2
• Pretty Big - Fortune 1-ish 
• ~50 Countries
• 80,000 Employees
• $32.5bn in earnings in 2013
• 2M Barrels per day
• 11.8bn cubic feet of natural gas

3. 3
About Me – Razi Asaduddin
Cyber Security Technical Advisor
– Monitoring, Process Design, Incident Handling, Threat
Assessment, Malware Reverse Engineering, Digital Forensics
Splunk Shared Service Team Lead
– Designed, Architected, Implemented, Coded, and
Administered Global Splunk Instance
– Responsible for Splunk service and strategy
– In-house consulting for prospective use cases
– Evangelizing, PoCs, modeling, and tool rationalization
Two-year Splunker and 2013 Revolution Award
nominee
• Contact: Razi.asaduddin@gmail.com

4. 4
Agenda
Why Splunk?
How we use Splunk
How we have evolved
Best practices
Future

5. 5
Why Splunk?
Extensibility
Speed
Late-binding Schema
Scalability

6. 6
Why Splunk?

7. 7
Before Splunk
Manual data
Lag Time
Visibility
Silos
Data knowledge

8. 8
How We Use Splunk
Cyber Security
Network
Performance
Application
Performance
Capacity PlanningCall Quality
Misconfiguration
Linux
Administration

9. 9
How We Use Splunk – Cyber Security
• Investigation and Incident Response
• Complex Correlation
• Proactive Alerting
• Auto-remediation 

10. 10
How We Use Splunk – Performance
• Reduce Data to:
– OS + Application + Server + DB + Network + Endpoint Performance
• 10,000 foot view & 1-foot view
• Pivot

11. 11
Thought Process
Gather Correlate Enrich
Visualize
Alert
Action

12. 12
Evolution
One-dimensional
Multi-dimensional
Pivoting
Visualizing
&
Base-lining

13. 13
Best Practices
Ask simple questions and build up
Double-check raw data
What data do we not have?
Splunk it!
Build a Splunk network
Alert on it or automate it
Policing

14. 14
Policing
I’ll just run this at midnight when no one else does 

15. 15
Policing
CPU & Memory Performance
Number of searches
Errors
Long searches
Wall of Shame

16. 16
Fun Stuff
Longest running search – 96 hrs
Longest search text – 80 lines
Magical Midnight – pitfall
Wall of Shame – 
Splunk in life

17. 17
Future
More Visualization - Turn raw events into this:

18. 18
Future
Then reduce:

19. 19
Questions?
Happy -ing!

20. Thank You