One of World’s Largest Financial Firms Presents at Splunklive Boston

The second presentation at the Boston Splunklive event on January 28th was an in-depth profile of a large-scale deployment in a financial services firm, anonymously described as “one of the world’s largest providers of financial services.” Paddy Griffin, Director of Technical Architecture, used his extensive history in the software industry to provide context to his firm’s plans with Splunk. Unlike other major IT projects at his firm, this Splunk-based initiative is being rolled out in record time, using an iterative approach, to show they can provide a continually enhanced log aggregation and search service as part of their “nimble infrastructure.”

Paddy started his presentation by unveiling the name of the overall initiative: LASSIE (yes, like the famous collie from TV). The acronym stands for Log Aggregation Service with Splunk Indexing and Exploration. A somewhat fitting name when you see the last slide (below) in his presentation.

Think of LASSIE as a service: a log aggregation and search service planned, deployed and managed by a central group; providing value to users around the company. Below you can see some of the various data sources going into LASSIE (Splunk). Paddy said “The ability to index any data without having to maintain and support a data schema is huge.”

Phase 1 of LASSIE focused on providing capabilities for indexing, searching, monitoring and reporting based on log files and changes. Phase 1 also implemented the core foundation for the service including the definition of roles and role-based access controls, and service policies.

As part of the role definitions and role-based access controls, Paddy integrated Splunk with Active directory. These roles are being used both to control information access and privileges on LASSIE (Splunk), and also to provide the views needed by the diverse users in various parts of their business. They are likely to take advantage of the Single Sign-on (SSO) support in the upcoming release of Splunk 4.1. His team also defined a role called “Curators”-people who are aligned with the various business groups (such as bond trading) and have primary responsibility for a business app or service. Curators define the data sources sent into Splunk and who within their business unit can access the data.

Over time LASSIE will need to scale. The approach they are taking is to scale “horizontally”-setting up separate Splunk indexers for each set of users/business groups. Splunk will also enable them to scale linearly, by using multiple Splunk indexers on commodity servers, and let users within a business group search across the indexers. Future plans call for them to enable distributed search, enabling authorized users to get a combined view from searching across the separate Splunk indexes set up across the business groups.

The attendees got useful insights in how to plan a major Splunk deployment in a very large enterprise. And one of the benefits for Paddy from the Splunklive Boston is that he was actually able to meet for the first time other people from his firm who are already using Splunk as well. “Splunk has gone viral in my company!”

Steve Sommer
Posted by

Steve Sommer