Skip to main content
Splunk Lantern

Platform management overview


The best practices in the platform functional area support the availability, scalability, and maintainability of your Splunk deployment. They help establish an optimized Splunk platform architecture and systems for continuity planning, capacity planning, and incident management.

Follow these best practices according to the standard, intermediate, or advanced goals you have set.

Activities Standard Intermediate Advanced

How the Splunk engineering team (not users) stays current on how to administer Splunk software.

Self education

Leverage Splunk Documentation

Leverage Splunk Answers

Everything outlined in standard

Splunk learning paths by role (see Setting roles and responsibilities)

Establish sandboxes as a regular practice for development and innovation (see Using a Splunk sandbox)

Everything outlined in intermediate

Splunk certification paths by role (see Setting roles and responsibilities)


Optimizations to your platform architecture that support performance and scale.

Deploy software using recommended system requirements (see Indexing and search architecture and Data collection architecture)

Set up a Splunk lab (see Setting up a lab environment)

Everything outlined in standard

Make use of the Splunk Validated Architectures (see Splunk Validated Architectures)

Deploy environment for existing capacity and future growth (see Platform capacity considerations)

Everything outlined in intermediate

Deploy a Universal Forwarder as part of the standard OS build (see The universal forwarder)


Product features or other solutions that facilitate high availability or disaster recovery scenarios.

Set up data replication (see Data replication and Preparing for failures in the Splunk utility tier)

Set up a backup policy (see Managing backup and restore processes)

Set up system snapshots or virtual migrations

Everything outlined in standard

Set up search head clustering (see About search head clustering and Indexing and search architecture)

Set up multi-site data replication (see Multisite indexer cluster deployment and Indexing and search architecture)

Generate backups of configuration and user knowledge objects (see Managing backup and restore processes)

Everything outlined in intermediate

Set up automated failover of the utility tier (see Preparing for failures)

Implement source control for configuration and user knowledge objects (see Managing backup and restore processes)


Procedures to track and mitigate issues with the Splunk deployment.

Email or vocal request Implement a ticketing system, or incorporate into existing ticketing system

Everything outlined in intermediate

24/7 live help desk

Splunk runbook


Practices for staying informed about resource usage and staying ahead of demand on the Splunk platform.

Use the Splunk monitoring console (see Platform capacity considerations)

Everything outlined in standard

Develop linear usage projection to estimate growth

Everything outlined in intermediate

Discuss anticipated growth needs with stakeholders (see Managing stakeholders)