Crumpled paper & lightbulb

What to Expect When You’re Expecting a Splunk Consultant

I’ve worked with several dozen Splunk customers in a variety of businesses, at scales from a single-VM proof-of-concept to hundreds of terabytes a day, and while we try to cover a lot of what I’m going to talk about in a kickoff call before your consultant shows up, these are good things to have in mind.

Access

This is the single biggest pain point I see in the field on Day One: how do I access your environment?  Is it managed by your company, or is it in Splunk Cloud?  If this is not worked out ahead of time, it’s common to lose hours waiting to get a VPN account set up or find and configure a loaner laptop.  Sometimes this is unavoidable, but if at all possible, get as much of this approved and completed as you can.  In my experience, when a consultant is coming onsite if it is feasible to use a loaner machine that tends to work smoothly.

Consider what permissions are necessary to do the work and what is acceptable in your organization.  For example, a Splunk installation or upgrade will require root access – do your policies allow a Splunk consultant to have that?  If not, does your consultant’s contact during the engagement have the necessary permissions, or do you need to arrange some time with someone on your server administration team?  The same goes for Admin access in the Splunk UI, or access to your Splunk Cloud account.

Last but not least, do you know your Splunk admin account password?  You need it to perform a lot of important functions in Splunk, and work can stall out if you do not know or have access to those credentials.

Help From Others

If part of your Splunk PS engagement is integrating with other systems, such as setting up DBConnect against one of your databases, gathering data from AWS or Microsoft Cloud Services, or sending alerts to a ticketing system’s API, we will need to work with administrators on other teams.  Be sure to set up time with those resources during the engagement.

Phone Numbers

If your Splunk consultant is coming onsite, be sure to provide phone numbers for two people they can contact if they are unable to access your office or missed a subway stop on the way in.

Plan B for the Splunk Consultant

Make a plan for what to do if you are unexpectedly unable to work with your Splunk consultant during the engagement.  Many of my customers are not full-time Splunk gurus. If it happens that you were up all night addressing a SAN crash, or you’re called away to a surprise day-long offsite meeting, or you get the flu midweek, is there someone else who can answer questions if they come up?

Stretch Goals

We might finish early or find ourselves unable to start on something we expected to do.  It’s good to have a few extra things in mind to tackle during that “general consulting” time, so put together a list of things you’d like to learn about or fix.  Maybe it’s a dashboard you want to perform better, or you want to learn how to create an alert, or you’d like us to teach a developer team how to Splunk their application logs.  We want you to get your money’s worth.

About Aditum

Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.

Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.

Contact us directly to learn more.

Chris Selvig
Share this Article