your123 -

Splunk Enterprise users push more data into DevSecOps

Splunk shops are expanding their collection of log and observability data to offer developer self-service, correlate ops with security alerts and consolidate edge management.

Splunk Enterprise customers are gathering more data to speed up responses from DevSecOps teams, as IT environments expand to encompass edge, cloud and on-premises locations, and lines blur between IT specialties.

Companies such as Papa John's International and GE Digital were on hand to discuss their expanded use of Splunk's log monitoring, security monitoring and observability tools at the Splunk .conf22 hybrid event this week. Papa John's, for example, has expanded its use of Splunk Enterprise over the last three years as it grew to more than 3,200 store locations in the U.S. and Canada.

The move to Splunk also coincided with a shift to e-commerce for the company, which now does more than 90% of its sales through its website and mobile app, said Sarika Attal, vice president of enterprise architecture and technology services at Papa John's, during a conference session presentation.

"If our website is slow, or there's latency over three seconds, we know customers will abandon it and go somewhere else," Attal said. "We had to invest in something that was a little more real-time."

The company chose Splunk because it could accommodate massive amounts of data without doing data sampling, a statistical analysis technique that examines a subset of data rather than the entire data set.

"Sampling is not good anymore," Attal said during the presentation. "An example of that is with voice analytics -- [we can't be] looking at a few calls per month and deriving our customer sentiment score on order accuracy or their experience. We have to look at the entire data set with machine learning."

Mangesh Pimpalkhare, Sarika Attal and Willie James on stage at Splunk .conf22
From left: Mangesh Pimpalkhare, vice president of product management at Splunk, presents at Splunk .conf22 with Papa John's Sarika Attal, vice president of enterprise architecture and technology services, and Willie James, director of resiliency services.

Papa John's used its increased data gathering at stores -- with the aid of Splunk's workload pricing reduction, introduced last year -- to make its help desk more responsive.

"Once we were able to get Splunk out there, we were able to help immediately with an issue that was going on with our closing process," said Willie James, director of resiliency services at Papa John's, in the .conf22 presentation.

A pattern had developed during store closings: If a point-of-sale system wasn't working during shutdown procedures, managers would leave it, hindering the opening process the next day and prompting a call to the company's centralized help desk. From there, fixing the issue could delay store openings for 30 to 45 minutes.

"With Splunk, we're able to create alerts and set up notifications that went to our help desk, and they were able to fix this as soon as they were finding them, before the store manager comes in," James said.

There's also evidence that the data expansion trend extends beyond a few poster children within Splunk's customer base. According to Splunk's fiscal first quarter earnings report on May 25, its cloud net retention rate -- a measure of whether SaaS customers sustain their spending over time -- was 130%.

That means a statistically significant number of customers are not just continuing their Splunk Cloud subscriptions, but increasing how much they spend. Overall, Splunk is still operating at a net loss following a year of upheavals, but its revenue also grew accordingly -- overall revenues were up 34% compared with the same quarter a year ago, to $674 million, and cloud revenues increased by 66% to $323 million year over year.

Splunk Enterprise 9.0 consolidates DevSecOps data management

Splunk customer testimonials this week coincided with the release of Splunk Enterprise 9.0, which expanded management features from data migration and ingest routing to federated search in a bid to unify access to data among disparate locations, teams and workloads -- most notably between observability and security disciplines.

First introduced last July, federated search supports searches across both on-premises and cloud-based data sets, including the ability to search from a cloud deployment to on-premises, which wasn't supported in the tool's initial versions. This week, federated search also added new support for searching data within Amazon S3 buckets, with more search support for data sets stored outside the Splunk platform planned in future releases.

Meanwhile, GE Digital also spoke at .conf22 as a company that has made the leap from separate security and observability tool sets to a unified Splunk DevSecOps platform.

"In many cases, the data overlaps for both use cases, and it's simply a matter of how you intend to investigate the data," said David Rutstein, principal security analyst at the industrial IoT software maker in San Ramon, Calif., during an online Q&A this week. "We use both IT Service Intelligence and Enterprise Security for the data, and [Splunk's Common Information Model] helps us drive the standardization for all the data we ingest so we can use standard correlation searches in both apps."

When you talk about an incident in the early stages, it's difficult to say whether it's a security incident or an operational outage. Having the shared data set helps us understand the impact and root cause analysis faster.
Sarika AttalVice president of enterprise architecture and technology services, Papa John's International

With the new platform release, which includes a reworked catalog of third-party extensions in the Splunkbase product, Rutstein said he was looking forward to an updated GitHub App for Splunk. Its latest release in March added new dashboards and support for detailed GitHub workflow analysis.

"Being able to view the overall process through our toolchain and centralizing the data gives us a holistic view of this development, not just the individual parts working disparately, [and] gives us the opportunity to automate reporting ... into a centralized system," Rutstein said in a .conf22 presentation. "And that means that developers are seeing the same information that the other teams are also viewing."

Papa John's intends to follow suit, Attal said in a keynote presentation.

"When you talk about an incident in the early stages, it's difficult to say whether it's a security incident or an operational outage," she said. "Having the shared data set helps us understand the impact and root cause analysis faster."

Log onboarding puts data in developers' hands

Continuing the theme of absorbing more data from disparate sources, Splunk Enterprise 9.0 includes a new Data Manager feature to centralize and automate log onboarding from AWS and Azure sources, with Google Cloud support planned. A new feature called Ingest Actions automatically routes data within the Splunk platform and AWS to keep it organized for collaborative use among teams.

Splunk also expanded integrations between its products with this week's updates: Splunk Observability Cloud users can now connect Splunk Enterprise platform log data with observability tools through a new tool called Log Observer Connect.

Finally, Splunk previewed Splunk Cloud Developer Edition (SCDE), which automatically generates Splunk test beds for developers to write and test applications against, furthering another trend in DevSecOps focused on improving the developer experience.

"We are shifting a ton of our apps from on-prem to cloud, and we have a massive amount of onboarding requests to get [developers'] cloud-based app logs into Splunk -- about 40 onboarding requests per two-week sprint," said Steve Koelpin, lead Splunk engineer for a Fortune 1000 company in the Midwest.

Koelpin's team has designed its own self-service developer onboarding system to accommodate these requests, but SCDE could offer a more scalable standard interface to expand that system into more environments, he said.

However, Splunk Data Manager is unlikely to replace that internal system's back end, Koelpin said, because it doesn't yet support the custom data source types his company uses. A major part of that internal system uses Cribl as a kind of log ingest load balancer and gateway, and a pull request process where Splunk engineers review developer onboarding requests to ensure they follow internal data standards, including for custom source types.

"Data Manager is a wise attempt by Splunk, but not good enough for mature companies to realize value from it," Koelpin said. "A UI for the data onboarding process has been something that has been missing for a while, [but] there's an established standard on how to onboard data, and 'in the wild,' it's commonplace for developers and engineers to deviate away from this standard."

Enforcing standards is good in an ideal world, but might not be worth the effort depending on the amount of tech debt it would require eliminating, Koelpin said.

"You either have a huge effort to bring everything back to that standard or don't use it at all," he said. "The real question: Is the juice worth the squeeze? There may be years of tech debt having to be upended to fit that standard."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Next Steps

Splunk .conf22 focuses on scaling observability for the cloud

Cisco makes big splash with Splunk

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center