5 Top Tips for Splunk users struggling with Platform Management

Platform management in relation to Security Information and Event Management (SIEM) involves the administration, maintenance, and optimisation of the SIEM system to ensure it functions effectively. This includes overseeing the hardware, software and network infrastructure that supports the SIEM; as well as managing system updates, configuring and fine-tuning the platform to handle security data efficiently, and ensuring that it scales with the organisation’s needs. Here are 5 tips to help you structure your thinking on platform management if you’re struggling:

1. Understanding your user base:

   For a lot of companies, you can have a lot of users within Splunk but there’s not a lot of rationale behind the amount of users, not much restriction or proper reverence given to the capabilities/ indexes that a user can access. Understanding the user base makes it really easy to picture who is using Splunk and why they’re using Splunk. Overloading the platform with a bunch of users without considering what indexes these users can access, their capabilities within Splunk can lead to overpopulation of roles, like SD admin, which gives a user ruling privileges on the system. It can also lead to significant inefficiencies; if you consider that any user could write whatever inefficient/expensive search they want to and schedule that at a five minute basis. A key example of this is when we see clients with index=* starting most of their saved searches, this means the search is going through every index stored in Splunk which is very heavy on workload. Therefore, understanding your user base and paring down your roles to match is helpful.

2. Managing data retention:

   Regularly looking at your data retention policies and reviewing them can help you keep your license cost lower by keeping in charge of the size of your license. What we normally recommend for this, is if it’s still data that you need to keep e.g. compliance reasons, is taking advantage of Splunk ingest actions or non Splunk streaming tools e.g. Cribl to name one. There are numerous methods and techniques for data persistence and streaming, that’s a whole blog in itself, so we will write one soon.  What we would state is considering; what is the purpose for storing this data and why you need it.

3. Educating your users and admins:

   If the users don’t understand Splunk or the cost of their actions in Splunk, they’re more likely to over exploit the system and create latency and lag for other users. Again, there’s increased costs. In terms of admins, if they don’t understand the user base or they don’t understand their own powers and how they can influence the system, two different things can happen. 1.) they might be changing permissions on things which will get in the way of certain users, or 2.) they could be changing knowledge objects without proper thought over the impacts of those changes.

4. Centralised role management:

   This is making sure that access to the system for activities such as making access keys, make accounts and change passwords is really under control. If data ingestion and all of those responsibilities are defined, it’s really easy to prevent confusion. We see a lot of clients that end up not reviewing their roles very frequently and they end up with a catchall role. That’s where everybody who’s new to the system just gets thrown in this role, but they’re not really considering the index restrictions on this particular role. For example,  you’ve got people in a customer facing role that can access financial information, which creates a lot of murky water.

5. Always keeping in mind the regulatory and compliance considerations:

   This is a really key part of platform management. If you know what you have and how long you need to keep it for, it can help inform retention and other things such as ingest action. From this information you can decide whether you’d be more efficient to look at data lakes rather than Splunk for long term storage.

 The goal of platform management is to ensure the platform remains stable, secure, and scalable, supporting the organisation’s operational needs and future growth. It also involves troubleshooting issues, ensuring compliance with regulations, and continuously improving platform performance to maximise its value for users. Platform management can be difficult; hopefully these tips give you 5 areas to think about, which will help improve your platform management approach.  Further reading on licence management is here.