120 users and prospects came together Thursday morning, January 28th, to attend the first Splunklive of 2010. Set at the Cambridge Marriott in Kendall Square, a major university and a major financial services firm presented on how they are using Splunk to better manage their IT infrastructures. Attendees came from the greater Boston area, Maine, Connecticut, and elsewhere in Massachusetts on a day when it was cold enough to walk across the Charles River.
The event was kicked off with a short overview of Splunk–a presentation followed by a product demo.
The first customer presentation was given by Jim Donn, Network Management Systems Engineer, and Tim Hartmann, Unix Systems Administrators. They requested that their university remain unnamed, so I’ll refer to them as “Major U” (consistently ranked among the best colleges and universities in the country and world). Both the networking and systems management groups were looking for solutions that would provide centralized logging for troubleshooting, alerting, reporting and trending analysis. Tim and Jim had started their research independently but soon converged on a single answer: Splunk. Their Splunk deployment environment consists of: 400 Unix, Windows, and other servers; 3000+ Cisco devices; TACACS+ authentication logs; and VPN access logs; 47 staffers with Splunk logins, 25 regular Splunk users.
Tim and Jim reported on the quick success they achieved with Splunk. “Everyone in our org, as soon as they start using Splunk they won’t stop.” A major focus for them was on trending analysis. Before Splunk, they would trend a single server or component. Now, with Splunk they are able to do trending for an entire service. “We didn’t have that top-down view before.” The value of trending with Splunk came up in customer presentations and in the impromptu conversations with users during breaks and lunch. They highly recommended to the audience the Splunk for *nix and Splunk for Windows free apps that are included in Splunk.
One of the unexpected paybacks from implementing Splunk is that they were able to decommission two sizeable Oracle RDBMS servers and repurpose the hardware. They had been using two sizeable HP boxes with Oracle licenses to store event data from their SMARTS devices. The repurposed hardware and the cost avoidance of having to buy Oracle reporting software was in the ballpark of their entire Splunk license. And the database guys no longer had to support and maintain the Oracle databases and the users had far better access to the event data for analysis, trending and troubleshooting.
Their migration to Splunk 4 went smoothly, and provided them with major performance improvements (as promised by Splunk’s marketing claims!). They’ve encouraged different users and groups at Major U to send them all their logs. “Users didn’t think we could handle it, but we’ve proven we can handle everything they send us.” That’s true not just for data volumes but data types as well. “Anything that spits out text we can get into Splunk.” Major U has plans for expanding Splunk in their organization—more uses, more data, audit and elsewhere. “We keep finding more and more use cases for Splunk”.
After the presentations, an open Q&A was held. Attendees were encouraged to ask any questions of a panel of speakers, other customers, and Splunk attendees. Godfrey Sullivan, Splunk’s president & CEO, attended the Splunklive event and answered a variety of questions about our business, customer use cases and very large customer deployments.