Drive your Business in Real-Time with Splunk – Part 1

Why would you use Splunk to drive your Business in Real-Time ?

The answer is because Splunk brings you flexibility and reactivity.

Companies constantly look to build agile and flexible IT to support their evolving businesses, this is why they built micro-services and Service Oriented Architecture (SOA). Splunk aligns to this flexibility at the data level to measure and drive your business performance.

We use the term flexibility not only because it is easy to capture all the required data but first and foremost because iteration is key when you build Key Performance Indicators (KPIs). I mean, KPIs start out as the things that business analysts think would be nice to measure your performance but they always end up changing several times. You need to iterate quickly and you don’t want to have to say no to the business for change complexity reasons.

Reactivity is key for all of us. The more reactive you are, the less time you allow for your business to slow down or for your customers to get disappointed. You need to get the information rapidly so you can still take actions before it’s too late. Gatwick runs the airport really smoothly because they can anticipate passenger traffic through analyzing the data. Domino’s pizza launches targeted promotional campaign to boost sales based on real-time data on what’s selling well. Dunkin Donuts sends coupons to customers when they think they are likely to buy extra donuts. They all build their decisions on data and they all use Splunk to do this. If they don’t react as quickly as possible, they lose customers and they lose revenue.

So, how can I simply drive my business in real-time ?

This is a Splunk use case and like every Splunk use case, the first question is: where is the data?!
 Business is run on applications but the best (and easiest) way to collect the data is centrally instead of directly from each application. This means from the Enterprise Service Bus (ESB). The ESB is a middleware that concentrates all the application exchanges and handles tasks like message routing, message validation, message transformation, etc.

“Wow, sounds good, only one single place to monitor your business! How is that possible?” The magic is actually not here at all, the magic is that you can do all this without changing anything in your ESB and without being intrusive at all. You just use Stream.

“Stream?!” Stream lets you collect all the information directly from the HTTP(s) traffic: the technical metadata but most importantly the payload. The payload represents the business data and as we capture all the payload and keep it within Splunk, you’ll be able to iterate and easily answer any business needs, both the current ones but also the future ones.

Unlike traditional Business Activity Monitoring solutions where you need to setup the collect, the database that will receive the data, normalize your data and then build your dashboards, Splunk leverages raw data from the network. There’s no need to normalize it and you can immediately build your KPIs.

The data will appear within Splunk as a JSON format :


As you can see, we capture src_content and dest_content which are the service request and response. This is the business transaction.

Splunk extracts all the JSON fields but also the XML tags within the source and destination so you can immediately pivot on your data and build your KPIs: revenue evolution, revenue distribution, etc.


In the next blog post, I will show you what kind of KPIs we can setup and illustrate this with a real use case: driving the business of a hotel booking website. I’ll show you how they use Splunk to monitor the business, take actions and measure the efficiency of those actions in real-time.



Romain Testu

Posted by