Splunk integration in SaaS environments

Idea created by mg0040209 on Feb 23, 2017
    Under review
    Score0

    Hello,

     

    What

    Ability to send log information from SaaS environments to self-hosted Splunk installations.  Splunk Enterprise is a data collection and analysis tool.

     

    Why

    1. Kibana, the data collection and analysis tool available in SaaS, lacks necessary features.
      1. Search results cannot be exported (only viewed via front-end interface).  This limitation can delay troubleshooting with third party vendors requesting access to log data.  A support ticket in BTBB may take several days to be resolved.     
      2. Custom dashboards cannot be saved.  While Kibana supports adding and modifying panels on the default dashboards, these efforts are not retained beyond the current user session.
      3. Pagination feature requires frequent adjustment.  The default the limitation is 500 results (too low).  Changes to the result limit are not retained beyond the current session.
      4. Some application servers are not sending log data to Kibana, resulting in missing entries.  This is never obvious to the user, since the hostnames are IP-based and the number of application nodes in SaaS changes frequently based on demand.  Further, Blackboard does not monitor the indexing service in SaaS, leaving problem identification to the client.  Resolution of these issues takes several days (sometimes weeks), which may pose a risk to logs not indexed from recycled application servers.
    2. Self-hosted clients currently using Splunk lose beneficial features and capabilities after the transition to SaaS.
      1. Real-time log monitoring, notifications and alerts.  While it is reasonable to expect this type of monitoring to be handled by the vendor after a move to MH or SaaS, our experience suggests there is still a significant need.  For example, there are often times when temporary monitoring of specific errors is necessary to mitigate the impact of known issues still pending resolution.  The vendor may not be in a position to monitor effectively through other means in a timely fashion.  
      2. Custom dashboards (see Kibana limitations imposed by Bb implementation)
      3. Historical trend analysis.  Continuing to leverage historical data for trends has significant benefits to the institution.
      4. Analysis across disparate data sources.  Splunk Enterprise has access to machine-data across other institutional systems, including mail relays and authentication providers.  Accessing and analyzing these systems from a single tool is beneficial.
    3. SaaS does not support Google Analytics.
      1. A separate enhancement request will be submitted for this feature.  However, it's notable here as justification for supporting the need of a more robust log analysis tool.

     

    The lack of comprehensive and sufficient machine-data (specifically access and error logs) results in delayed investigations, limited monitoring and inaccurate reporting/analysis.  This request was initially submitted as a support request, but directed here at the vendors request.

     

    Regards,

    Matt

    Product Version (if applicable):0