Skip to main content
Do you build apps on Splunk or are a Splunk admin? If so, we want to hear from you. Help shape the future of Splunk and win a $35 gift card!
 
 
Splunk Lantern

Establishing an operating framework

 

An operating framework provides structure for how you set up and manage your Splunk implementation.

Choose an operating model

You can organize your Splunk implementation a number of ways, depending on how you want to manage your resources. This topic outlines three possible approaches: centralized, federated, and hybrid.

Federated model

With a federated model, teams operate their own independent Splunk deployments and projects. Event data is stored on separate indexers. Program management provides best practice guidance and a forum for meetings to keep them coordinated. Each team can manage its own deployment architecture and operations.

Advantages Challenges
  • Teams can manage their infrastructure independently under a common set of standards
  • Scaling is more modular, and easier to plan and execute
  • Good for large organizations
  • Isolates "noisy neighbors"
  • Changes by one team have less risk of impacting other teams
  • Flexible infrastructure deployment options
  • Requires more coordination from the program manager
  • More complex to set up and manage
  • Managing deployment-wide search concurrency is more complex

Centralized model

A centralized model concentrates Splunk engineering (hardware and people) into a central team with a single Splunk deployment. A majority or the entirety of event data is stored on a common set of indexers, and users access a common search head or search head cluster.

Advantages Challenges
  • Good for small deployments
  • Data is easily accessible and shared
  • Faster to get started and simple to set up
  • Allows for quick growth
  • Easier to manage deployment-wide search concurrency
  • Requires the least hardware
  • Requires effort to scale as more groups adopt Splunk and the number of use cases and users grows
  • Concurrent users can unexpectedly impact the performance of each other

Hybrid model

A hybrid model is a mix of centralized and federated, where a critical mass of the Splunk activity is within a central team. Satellite deployments can exist outside of the central team. You can set up dedicated indexers and search head(s) for a use case or department, and the search heads might have the ability to search other deployments.

Advantages Challenges
  • Less complex to manage
  • A centralized team can still manage smaller groups or business units
  • A centralized operations team can provide Splunk as a Service
  • Federated customer teams can meet scale demands
  • Requires coordination for federated resources
  • The operations team must be prepared to operate a large Splunk deployment
  • Requires the most hardware

Identify the program manager

The program manager role performs one of the most crucial functions on your team. The person you identify fill this role must have clear authority to manage operations for your entire Splunk implementation.

Program managers fulfill the following responsibilities:

  • Drive decision-making
  • Manage interdependencies between Success Framework pillars
  • Ensure the Splunk implementation plan aligns with business objectives
  • Oversee Splunk success measurements
  • Are accountable for return on investment
  • Promote and facilitate program-wide communication
  • Support initiatives for knowledge sharing and collaboration
  • Ensure executive alignment

For more information, see Setting roles and responsibilities.

Post a service catalog

If you are providing Splunk as a service, you can post a catalog of Splunk-related services and processes for your user community. A service catalog communicates to your community the services you offer, and indicates how they can engage with your team. Post your service catalog in a publicly accessible space, such as your team wiki, community, or internal web site.

Define service level objectives and agreements

Service level definitions include service-level objectives (SLOs), service-level agreements (SLAs), and case priorities. For more about creating service-level agreements, see Establishing service levels.

Go further with Splunk Outcome Paths

If the guidance on this page helped you, you might also be interested in the following articles from the Splunk Outcome Paths, which are strategies designed to drive you toward your business and technical goals with the Splunk platform.