Use Case Explorer for Observability

The Explorer Map

The Explorer Map below provides a framework for your progress. Across the top are workflow stages (Observe, Engage, and Act), and below each are focal areas containing use cases and best-practice guidance to make your journey as easy as possible.

When the entire workflow is employed for a single component within a stack layer (for example a server, an application, or a database) it is expected that your MTTR will reduce dramatically for that component. When the entire workflow is employed for the full-stack of a service (for example an application and all of its supporting technologies) it is expected that you will realize less user, business, and mission disruption; higher availability; faster remediation of issues; and better utilization of your staff’s time.

Is this your first time using the Use Case Explorer for Observability?

► Click here to learn how to use it.

Learning how to use the Use Case Explorer is important to help you successfully get started and to get the most out of your Splunk Observability solution, as well as help you see incremental value when incorporating additional solutions. The Use Case Explorer is a set of defined capabilities, use cases, and best practices to help you to take a systematic approach toward improving visibility and response to incidents that have occurred, are occurring, and impending situations. Whether your goals are to reduce user and customer disruption for production services or making application release times faster, both can be achieved using the Use Case Explorer for Observability.   

The AIOps Workflow

Splunk's Use Case Explorer for Observability aligns to Gartner's industry-defined AIOps diagram that helps define your journey.  As you can see by the diagram, at the core are big data analytics and continuous insights, both primary Splunk strengths. On the outer ring, feeding and consuming the data, are the AIOps stages. The stages are: Observe. Collecting and analyzing data (metrics, logs, traces) about what is occurring in your environment and using it to detect, troubleshoot, improve, and optimize.  Engage. Centralizing events and alerts and further correlating them to identify the offending technology causing the issue, prioritizing the incident, and notifying the right team about the incident. Act. Performing root-cause diagnostics and remediating or auto-remediating a situation. Machine learning and artificial intelligence are incorporated throughout each of thee stages, and this is why this AIOps is different from prior generations of solutions that did not take a big data analytics approach and were more about manual processes.

How to Use the Use Case Explorer for Observability

To use the Use Case Explorer effectively, you'll need to implement and follow a Value Realization Cycle within your organization. Two tools within the Use Case Explorer will help you do this - the Explorer Map and the Use Case Registry.

The Value Realization Cycle

The Value Realization Cycle is a continuous process for identifying, implementing, and evaluating the value of new use cases that your business adopts.

In order to get maximum value out of your investment in Splunk Observability products, it's vital to intentionally put a Value Realization Cycle in place. We recommend that your organization establishes a use case planning session at least every other month to ideate and refresh new use cases to be deployed.

The Value Realization Cycle consist of a few different steps:

• Step 1 - Define a situation and goal. This can be a very targeted tactical challenge or a more expansive one. For example, you might aim to reduce MTTR of storage-related incidents, or start full-stack availability monitoring of your flagship web store.
• Step 2 - Identify and record use cases. There could be one or more use cases that help you improve the situation and achieve the goal you defined in step 1. For example, you may wish to configure discrete monitoring only for storage devices, or you may have separate use cases for storage, authentication services, application, user experience, database, and other technologies. Use the Explorer Map to help you identify use cases you can apply.
• Step 3 - Deploy use case(s) and document the value achieved. Use the Registry to help you track and document your progress. In Observability, sometimes just having visibility where you had blind spots before is of high value.

And then, repeat!

The Explorer Map

The Explorer map is a high-level planning guide to ensure you are targeting all areas of AIOps and Observability for your business or mission. You can see the map at the top of this page. Click into the map's workflow stages (Observe, Engage and Act), and then the focal areas within each. You'll find use cases and best-practice guidance within each of these focal areas which you can start to apply right away.

We recommend utilizing full-stack observability as a best-practice approach to adopting observability - monitoring the entire stack for a particular critical service. If your organization only monitors a particular layer of the stack, or if your organization has only automated one workflow stage, then your users and customers remain at risk of disruption and longer mean-times-to-repair, and your operational efficiency is not as fully optimized or scalable as it can be. 

You can track your progress in achieving use cases with the Use Case Registry.

The Use Case Registry

The Use Case Registry is a tool used to track the specific use cases to be deployed, along with the names of use case implementation owners and timelines for completion.

As well as running a regular use case planning session at least every other month, we recommend that you have weekly or bi-weekly team meetings focused on the Use Case Registry to checkpoint and track your progress in achieving the value you've identified from the use cases you choose to implement.

You can create the Use Case Registry in a spreadsheet or project management tool of your choice. Here is an example of a Use Case Registry you can use, or you can download this template file. You might want to add extra columns to these examples to track additional information such as status, prerequisites, or comments.

Workflow Stage	Category	Use Case	Product	Expected Value	Owner	Target Date	OnDemand Credits
Observe	Digital Experience	Monitor user response time	Synthetics	Understand the customer experience via SLI	Michelle Jackson	July 15
Observe	Application	Observe function call trace time	APM	Reduce MTTD	Michelle Jackson	July 20
Observe	Infrastructure	Monitor Kubernetes pods for pending state	Infrastructure Monitoring	Reduce MTTD	Jack Handley	July 15
Observe	Infrastructure	Monitor AWS EC2 availability	Infrastructure Monitoring	Reduce MTTD	Jack Handley	July 15	10
Engage	Event Analytics	Identify causal component so that notification can be routed to correct support team	ITSI	Reduce mean time to isolate	Siraj Chaudry	July 25	10
Engage	Notification	Send notification to responsible support team	OnCall	Reduce mean time to notify	Siraj Chaudry	Aug 9
Act	Incident Investigation	Train how to investigate application trace time issues	APM	Reduce mean time to investigate	Michelle Jackson	Aug 9
Act	Remediation	Train how to roll back releases	Multiple	Reduce mean time to remediation	Michelle Jackson	Aug 12

The Use Case Explorer in Action - Online Boutique

You can follow along with how fictitious company CS Corp applies the Use Case Explorer for Observability to their store, Online Boutique.

This example is representative of a real-world application and its underpinning infrastructure. Although your own application and infrastructure will differ from this example, the approach used here is universal and can be applied to any environment. Using the Online Boutique as a guideline, you can see how to establish the different capabilities shown within the Use Case Explorer map.

You can read more about how the Use Case Explorer for Observability is used with CS Corp's Online Boutique store here. 

► Follow an adoption journey that covers the full end-to-end observability workflow

By implementing the following set of use cases, you will accomplish and learn how to adopt the above:

Observe:

• Digital experience monitoring
  • Monitoring the availability of online storefronts
  • Monitoring the user experience with web page performance
  • Establishing website performance benchmarks through competitor comparison
  • Identifying application performance improvement opportunities

• Application monitoring
  •  Optimizing APM operations using custom MetricSets
  • Optimizing application, service and memory usage with AlwaysOn Profiling for Splunk APM
  • Monitoring AWS Lambda functions
  • Troubleshooting database performance
• Infrastructure monitoring
  • Monitoring Kubernetes pods
  • AWS Elastic Compute Cloud monitoring using Splunk Infrastructure Monitoring 
  • Monitoring AWS Relational Database Services

Engage:

• Event analytics
  • Integrating Observability Cloud alerts with Splunk ITSI
  • Normalizing Observability Cloud alerts into the ITSI Universal Alerting schema
  • Configuring ITSI correlation searches to create notable events
  • Configuring the ITSI Notable Event Aggregation Policy
• Notification
  • Configuring ITSI correlation searches for monitoring episodes
  • Configuring Splunk On-Call integration with Splunk ITSI
  • Configuring action rules in ITSI's Notable Event Aggregation Policy (NEAP) for Splunk On-Call integration

Act:

• Incident investigation
  • (Coming soon) Investigate the application condition using Splunk Log Observer

• Remediate
  • Investigating and remediating alerts from web applications using Splunk APM, Splunk ITSI, and Splunk On-Call