Skip to main content
Do you build apps on Splunk or are a Splunk admin? If so, we want to hear from you. Help shape the future of Splunk and win a $35 gift card!
 
 
Splunk Lantern

Managing your Splunk Cloud Platform deployment

 

The information in this article will help you discover methods for deploying, administering and extracting more value from your data with Splunk Cloud Platform. The best practices indexed here are gathered from Splunk customers, partners and employees.

Monitoring system health

To help you monitor Splunk Cloud Platform deployment health, use this quick reference list that highlights how Splunk administrators can use the Cloud Monitoring Console to gain insight into system health, including indexing and search performance, OS resource usage, and license usage.

  • Set up the Splunk Cloud Platform monitoring console. Review your data retention capacity and configure Splunk Cloud Platform to generate an alert when the value exceeds your usage license.
  • Locate the Splunk Cloud monitoring console and get familiar with the dashboards and the information they show. From the Overview dashboard, check the CPU usage of your indexer(s). Is it in the green (0-59%), orange (60-79%), or red (80% or more) status range? Are there any triggered alerts? From the Topology view under Indexers, toggle to show the indexing rate per second.
  • As a best practice, incorporate the monitoring console dashboards into a regular schedule of health maintenance checks. For example, you can monitor search efficiency on a weekly interval, and monitor overall deployment health every month. You can also configure the priority of the scheduled reports.
  • Ensure you have healthy searches for optimal performance of your entire Splunk Cloud Platform environment. Check for skipped searches, review searches by user, and review long-running searches. Check for and resolve data quality issues, such as line or event breaking issues.
  • Search Splunk Answers for answers, or ask a question of your own. If you're still not sure, contact Splunk support by submitting a case on the Splunk Support and Services portal. Don't forget to generate a diagnostic file to give Support insight into your configuration and performance history.

Managing configurations

This quick reference list highlights how customers can best manage configurations in Splunk Cloud Platform. Splunk Cloud customers do not have the ability to directly edit .conf files, but that doesn't mean they can't extend base capabilities to get more insights into their data.

  • Find an especially important source type and resolve data quality issues to make sure it's set up for success.
  • Review at the timestamps in your data. Configure timestamp recognition to make sure Splunk doesn't waste time trying to figure out the right date-time stamp to use.
  • Define and tune event breaks. You almost certainly have some multi-line events. Figuring out what's multi-line can be taxing on the indexers. Set the segmentation for event data to optimize your source types with what you've learned about .conf files.
  • Create a source type using the Source types management page.
  • Watch the Splunk Cloud tutorial to see how to set up Splunk Cloud Platform and get data in using a universal forwarder.
  • Build field extractions with the field extractor to build search-time field extractions. After you run a search, fields extracted for that search are listed in the fields sidebar. You can create custom field extractions to define which fields are extracted and when Splunk software extracts fields.
  • Leverage the power of lookups. Lookups make it easy to add context and create correlations with your data. For example, you can use a geospatial lookup to turn a series of IP addresses into geographical locations. Learn more about lookups and how they can enhance your search experience.

Admin Config Service (ACS)

The Admin Config Service (ACS) provides a command line interface (CLI) that lets Splunk Cloud Platform Admins perform many configuration and management tasks in a self-service manner, without assistance from Splunk Support. You can use the ACS API to update the list of authorized IP addresses, HEC (HTTP Event Collector) tokens, authentication tokens, indexes and many other configurations. Install the ACS Helper for Splunk for a simple and user-friendly graphical interface to make ACS features easier to access.

Onboarding new users

This reference list highlights how customers can best start onboarding new users in Splunk Cloud Platform.

  • Head on over to Splunk Education to find all the training you need.
  • Make your role-based access control more granular by organizing user access requirements into functional categories, such as data access or search restrictions.
  • Build user group workspaces for a specific role or user group to enable users to search, explore, and create without distractions from other teams and users.
  • Set up knowledge management practices now to avoid costly misinterpretation of your data later. Get started with What is Splunk knowledge?
  • Define a knowledge manager role. This person can create guidelines to manage knowledge objects, normalize event data, and create data models for Pivot users.
  • Review your company's requirements. Identify who needs access to which data sets, if there are any that should be private, such as data with PII, and so on. You can add and edit roles with Splunk Enterprise based upon your requirements.
  • Map LDAP groups to Splunk roles. Splunk Cloud Platform users can work with the repository administrator to set up user authentication with LDAP.