Team GSPANN streamlined the Splunk framework by performing architectural change, migration, and upgrade of Splunk components, and standardizing the process of deployment and data onboarding.
We established Splunk as the primary source for monitoring and analyzing e-commerce applications. Our team developed a new Splunk architecture to improve the ROI of Splunk services, reduce the cost of data licensing, and enhance the availability of Splunk as a central monitoring service.
The solution proposed by team GSPANN consist of the following elements:
- Architecture: We used the load-balanced Heavy Forwarder cluster for data routing, implemented syslog-ng for firewall and security data, and dedicated data route for Payment Card Industry Data Security Standard (PCI-DSS) and internal compliance data.
- Migration: Migrated all services from the on-premise Splunk Enterprise instance.
- All Splunk data ingestion apps, DB Connect, and scripted inputs moved to Heavy Forwarder cluster with a backup option.
- Apps, alerts, and dashboards moved to Splunk cloud cluster.
- Upgrade: All Splunk components – Heavy Forwarder, Universal Forwarder, Splunk Cloud, DB Connect, along with other Splunk applications and add-ons were moved to the latest supported and compatible versions.
- Standardize Deployment: Implemented deployment server and updated docker images used on Kubernetes clusters.
- Data Onboarding: Created modular components/apps, which can be reused for Scripted, REST, HEC (HTTP Event Collector), and other custom inputs.
- User Management: Okta SSO (Single Sign-On) used for secure authentication. Restructured LDAP (Lightweight Directory Access Protocol) groups for valid authorization.
- Audits: Query optimization for dashboards and alerts. Cleaned obsolete items and frequently reviewed scheduled jobs and reports.
