SplunkLive Norway Recap: Telenor and Splunk for Security

So as I said, things are really moving and shaking for Splunk EMEA. In addition to last week’s win of Best Integrated Security Solution, last week we hosted SplunkLive Norway in Oslo. Henrik Strøm, Security Architect for Telenor, presented how Splunk can help Telenor’s IT Operations become more proactive and do in minutes what used to take hours.

The Telenor Group is a leading global provider of telecommunications services. The company serves 164 million subscribers representing a strong footprint in Central and Eastern Europe and Asia. As one can imagine, 164 million subscribers generate a lot of data. In Norway alone they manage 1000s of servers and routers spanning many different data centers. In short–they are heavily reliant on IT.

“We have a lot of data, a lot of tools, many groups of people, and too little communication between groups,” Henrik said. “This makes it difficult to investigate incidents as no one person or department holds the keys to all of the data needed to conduct a proper analysis.”


Telenor required greater visibility into their IT data silos, but needed the ability to control who could see what. After evaluating several log management vendors, they settled on Splunk, as it was open and easy to integrate into existing systems, scalable and was software rather than an appliance-based solution.

“Splunk helps us consolidate our tools. It’s scalable and very open so it can integrate to existing and in-house tools where necessary. Better yet, Splunk makes the data we capture in logs available to less technical staff who might not otherwise know what is relevant or where to look for it.”

Splunk in Action:

Most users monitor and troubleshoot issues incredibly fast with Splunk – and Telenor is no different. The dashboards and ability to do ad-hoc reporting are key features they rely on, and today Telenor uses Splunk for network monitoring and troubleshooting situations. But Henrik was further excited about his ability to put the power of Splunk into the hands of lower level users.

For instance, he used Splunk to diagnose a kernel error on systems he did not have intimate knowledge of, while having a particular system expert diagnose the problem manually without Splunk. Both found the problem in minutes, but the system expert had full access to the servers, had worked on the systems over several months and knew exactly where to look. Henrik on the other hand did not require access to the systems to find the problem and did not really know what to look for. Opening the ability to do basic problem solving at lower levels, and sharing controlled access more broadly will provide Telenor with a big productivity advantage.

The empowerment theme carries over to dashboards and ad-hoc reporting as well. Telenor is using Splunk’s saved search and alerting features to easily construct dashboards covering any number of items—failed logins, firewall traffic by port, specific user activities—whatever is important to their organization at a given time.

Henrik has used Splunk to map and understand what is normal for a given environment. Just understanding what’s typical helps Telenor to build smarter alerts and manage their systems in a proactive manner–when something spikes up or an unfamiliar pattern appears analysts can dig in … before a potential failure occurs.

“Today’s monitoring tools just tell you when something isn’t working. With Splunk we can examine historical data, and watch trends to pick up on warning signs before an outage occurs,” Henrik said.

Thanks Henrik! We look forward to helping your continued success—and we’ll keep the rest of you posted as Telenor develops new and exciting ways to apply Splunk to their IT environment.

Thanks for reading. If you’re using Splunk for something cool—let us know!



Erin Sweeney

Posted by