An introduction to the Splunk Success Framework

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Learning how the Splunk Success Framework (SSF) is organized can help you identify the parts of the framework that apply best to you and your organization. All of the best practices in the SSF are modular, so you can apply them any time, according to your needs and priorities.

The SSF first introduces you to some Fundamentals - best practices that help you ensure success from the start.

It then takes you on a journey through four Functional areas - Program, People, Platform, and Data.

It also gives you guidance that aligns to your Adoption level, whether you're looking to implement standard, intermediate, or advanced best practices.

Fundamental best practices

Fundamental best practices are decisions, agreements, and success criteria that establish the purpose, goals, and ownership of your Splunk implementation. These tactical decisions provide clarity and accountability that are essential elements of a successful deployment. The SSF lays out four fundamental best practices:

Determine the purpose and scope of your Splunk deployment. Defining a purpose and scope for your Splunk implementation helps you focus on what you want to use Splunk software and solutions to do.
Engaging with your executive sponsor. An executive sponsor is the leader accountable for the success of your Splunk implementation.
Establishing an operations framework. An operations framework defines how to set up your Splunk environment depending on your goals, and best practices for setting up a successful Splunk implementation team.
Setting success metrics. Metrics set benchmarks so you can measure success as your Splunk implementation matures.

The fundamental best practices set expectations with stakeholders and ensure that your Splunk implementation stays on track and can grow and expand along with your needs.

Functional areas

Best practices for implementing Splunk are organized into four functional areas:

Program Management. Best practices for program management support how you conduct your Splunk implementation to drive adoption and realize maximum value from your Splunk deployment.
People Management. Best practices for user management enable users and teams by using learning incentives and role-based access to features and data.
Platform Management. Best practices for platform management support the availability, scalability, and maintainability of your Splunk deployment.
Data Management. Best practices for data lifecycle support efficient data management practices and generate effective use cases that are tightly aligned to data.

Adoption levels

Screenshot 2023-10-11 at 2.33.49 PM (1).png

The SSF defines four adoption levels that apply to the functional best practices: Foundational, Standard, Intermediate, and Advanced. The adoption levels classify the best practices according to the level of effort needed to meet your priorities, needs and goals for each activity.

Foundational. Best practices that establish functional groundwork for a Splunk environment with essential configurations and basic optimizations.
Standard. Best practices that establish the basis for an optimally performing Splunk environment with established configurations and practices.
Intermediate. Best practices that offer more control for results that you can tailor to how you organize your Splunk implementation.
Advanced. Best practices that suggest configurations and optimizations to grow and expand your Splunk implementation.

Each functional area has an overview page that lays out best practices appropriate to your adoption level.

Adoption levels can grow with you. For example, when you start out, you may have a moderate sized team and a few core use cases on established systems. You might benefit from putting some standard and intermediate-level best practices in place. You could also apply a few advanced best practices in areas where you already have strong practices in place.

Terminology

The SSF uses the following terms:

Splunk deployment. A Splunk deployment refers to Splunk software that has been installed and configured on a system and is accessible to at least one user and data source.
Splunk environment. A Splunk environment refers to the equipment that hosts your Splunk software. For on-premises Splunk Enterprise deployments, this is the hardware, virtual machines, and operating systems upon which your Splunk software is deployed. For Splunk Cloud Platform deployments, this is the service hosted by Splunk.
Splunk implementation. A Splunk implementation refers to your Splunk deployment and Splunk environment (platform), the team of people that use and support Splunk software (people), the data and use cases you use Splunk software and solutions to address (data), and the processes your community of users follow to deploy, use, maintain, and grow an organization's use of Splunk software and solutions (program).

unnamed (33).png

Helpful links to Splunk resources

Here are links to other helpful Splunk resources. At this stage, you might also want to check out Splunk Validated Architectures. These are proven reference architectures for stable, efficient and repeatable Splunk deployments that ensure that your initial deployment is built on a solid foundation.