The New Splunker Workshop

As a kid, I was a devoted fan of the New Yankee Workshop. I much admired Norm’s plaid shirts and planned some day to have my own workshop where I could build highboys and rocking chairs to my heart’s delight. Things didn’t quite pan out that way, but that doesn’t mean I’ve abandoned workshops altogether. I’ve just taken to a different kind of workshop.

Lately, what’s been on my mind is figuring out ways to guide users beyond keyword searches to a richer, more powerful experience with Splunk. In recent informal polls of several long-time users of Splunk, interactive search surfaced as the leading use case, with reporting and dashboarding trailing. When it comes to search, users seldom arrive at using tags, eventtypes, lookups, even search commands. Users who are able to get past field extractions are the ones who go on to do more exciting things.

How can we move basic users forward on the learning curve to become Splunk search experts or at least more Splunk savvy?

The Evolution of Splunk Users

When it comes to search, this is how I map the evolution of the Splunk user.

Crawler Searches with keywords, booleans and wildcards.
Hunchback Discovers basic search commands like stats and top through interaction with the UI.
Walker Stumbles on fields and learns to extract them, may even uncover more elusive features like tags and eventtypes.
Runner Graduates to transactions, lookups, geolocating events and downloading apps.
Hunter Advanced user building sophisticated searches to answer more complex/valuable questions.

It seems many users get stuck somewhere between/before Hunchback and Walker.

Don’t Be a Hunchback

As a Splunk Admin or Owner, you could probably care less about posture with the little time you have to field the constant stream of questions from your user base.  Not that you don’t want to help, but your plate is full configuring new data sources, scaling the indexing cluster or installing apps.  Splunk does offer courses for end users, mainly Using Splunk and Searching and Reporting.  Yet, how do you inform users about these courses, give them enough experience to get the most out of class, and keep them moving forward even after being educated?

Workshops!  Also known as brown bag sessions or lunch & learns.  They are meant to be short, informal how-to sessions.  They are not meant to replace Splunk Education, instead complement it.  But let’s also be real.  You’re busy.  You barely have time to learn more Splunk much less help others learn more Splunk.

What I am presenting is a blueprint for hosting your own workshops with minimal setup. This is designed so you can spend less time helping individual users by killing several users… um, birds with one stone.  They have proven to be an effective and fun way to get new users going with Splunk and take existing users to the next stage.  By reaching out to the masses, you can start to foster local experts who can help themselves and pull others along.

If you haven’t identified experts among all the teams and departments you support, these workshops are also a way to gauge individual interest and help the cream rise to the top.  Pretty soon, you will have a squad of Splunk experts by your side answering questions and helping their teammates.

The Getting Started Workshop

The first in a series of sessions we have co-hosted is the Getting Started with Splunk Workshop.  A scant few hours of work will take you a long way.  Here’s the recipe and notes on what has worked well so you can avoid some of the mistakes we’ve made which cost time.

  1. Pick a date (5 minutes)
  2. Two Weeks Before
    • Decide on the topic (10 minutes)
    • Decide who to invite (10 minutes)
      In my experience, groups of 6-12 people work well.  A smaller group allows everyone the opportunity to speak up, and keeps the event interactive and lively.  If there’s enough demand, consider hosting multiple workshops so users have the option to sign up for different time slots.
    • Decide on the props (5 minutes)
      Do you need a party zone balloon?  How about a whiteboard?
    • Book a conference room (15 minutes)
      Ensure the room is large enough.  Does it have windows? Check the projector is working from your laptop and you have the right video adapter for your laptop.  Make sure you can locate the conference room.  Is Splunk accessible from the conference room?
    • Send calendar invites (5 minutes)
  3. One Week Before
    • Arrange for munchies (15 minutes)
      Everyone can appreciate donuts/coffee for breakfast, lunch, or snacks in the afternoon.  Or keep it simple and have people bring their lunches, but food always gives people an incentive to attend.
    • Work on the slide deck (1 hour)
      Tailor it to fit your audience and environment.  Get Started With Splunk (a PowerPoint template) is provided to get you going with a workshop which runs 45 minutes to 1 hour.
  4. One to Three Days Before
    • Send calendar reminders (1 minute)
    • Finalize slide deck (15 minutes)
    • Do a dry run (1 hour)
      Do this with someone who can provide constructive feedback, especially if you are not accustomed to speaking in front of an audience, no matter how small or familiar the members are to you.
    • Iron your tie (5 minutes)

Presenting Ricky Yetter, the superstar Splunk Admin at Apollo Group, leading 4 well-attended workshops back to back!


As always, there’s no need to go it alone or pull ideas out of thin air.  Some options to make life easier:

  • Contact your Splunk account team
    Your Sales Engineer will be delighted to collaborate with you, and perhaps your Account Manager will bring t-shirts, stickers and mugs to give away.  They can also attend in person for general back-up or Q&A.
  • Consult your Splunk
    The Scheduler Activity dashboard in SplunkWeb shows who is using Splunk and what kinds of searches are being run. Survey this data for who to invite and topics to cover.  For example, if you notice the trend is to use only simple searches, introduce some search commands.  Or if you notice many of your users are already building cool searches, cover lookups, tags, eventtypes, dashboards, apps instead.
  • Ask the Users
    You have probably built a good store of questions which have been posed to you.  Dig into the past to see where users are struggling.

Workshops Galore
The New Splunker Workshop is the first in a series of workshops I am working on with customers in the Southwest. As we continue to build more, I will post them here. The next one we are working on is “How Not to Search” reviewing common misconceptions and taking apart search.

Even if you’re not a New Yankee or don’t even like plaid, having your own Splunk workshop is simple and rewarding, and won’t leave you with splinters or saw dust in your hair.  I promise.  Don’t believe me?  Try it and don’t forget to report back.

Vi Ly

Posted by