Today I attended the Splunk Discovery Day 2018 conference. It is something like a local equivalent of the famous Splunk .conf. More than 200 people have registered. The event was held in the luxury Baltschug Kempinski hotel in the very center of Moscow with a beautiful view of the Red Square and St. Basil’s Cathedral.

Recently, I have been working more and more with Splunk: I develop connectors, write searches and dashboards, optimize them. Splunk has become the main data visualization tool for me.

Video from the event (27 minutes). This is NOT a complete recording of speeches, but rather some fragments and slides.

At the same time, I make most of data analysis with my own Python scripts. Currently this approach seems more effective. But as for providing final results in a beautiful way and making various notifications, in this sphere Splunk is really convenient and useful. Of course, I can make own a Web GUI application that will do something similar for my tasks, it doesn’t make sense if there is an Enterprise level tool that is very good for this.

My tasks are not quite typical for Splunk clients from Security Teams who look at it in the context of SIEM and SOC mainly. Asset Inventory is actually similar to Business Intelligence: almost all connectors are non-standard, and there are no strict requirements for real time (we operate with days and months, not seconds). We have same approach: “Bring some data to Splunk and get insights from it.” And in this sense, it is great that this event was NOT for the information security experts mainly.

It was mentioned a lot that Splunk is primarily a tool for Business Intelligence. And it’s not just for geeks. Splunk is preparing a mobile application with augmented reality, technologies for recognizing requests in natural language and voice. I think this is all mainly for fun, but the trend for casualty is clear.

There were also interesting success stories from MegaFon (roaming analysis during the World Cup), Rossgostrach, Mars IS, Okko and MTS.

MegaFon uses Splunk as a data analysis platform. And it requires the deep involvement of the internal customers. “You can not just put data in the box to start the miracles.” It is the universal idea that is very true for Information Security as well.

Only one success story from MTS was directly about Information Security and SOC. But even they do not use Splunk as a SIEM (because of license costs), but rather for visualization the state of infrastructure and Information Security Tools.  The main advantage of Splunk is flexibility that makes possible to implement own metrics and beautiful dashboards.

I also liked the master classes. Great VolgaBlob master class about search acceleration methods, different from those that I described in “Accelerating Splunk Dashboards with Base Searches and Saved Searches“: Report Acceleration, Summary Indexing and Data Model Acceleration. There were also master classes about the application development (Talmer) and the correct data imports (RRC).

As a result, after the event, I have a lot of ideas about the alerting and the use of Splunk AI features. I am also interested in testing Splunk applications via Selenium, as a regular web application, developing Splunk application GUI with Splunk Javascript SDK and deploying automation using puppet. We really can see Splunk as yet another web framework. So, I thing the event was quite inspiring for me. 🙂