Data Works MD, profile picture
Uploaded byData Works MD
PPTX, PDF505 views

Using AWS, Terraform, and Ansible to Automate Splunk at Scale

The document outlines the use of AWS, Terraform, and Ansible in automating the management of a Splunk cluster for analyzing machine learning capabilities on a 9TB dataset. Key topics include project management by Dreamport, configuration setup, and automation of deployment and ingestion processes. It emphasizes the importance of programmatic configuration and efficient data handling to minimize errors during ingestion.

Technology
Related topics:
Amazon Web Services
Download to read offline
Using AWS, Terraform, and Ansible for DreamPort Projects - the Splunk Cluster How we used (and are still using) tools such as AWS, Terraform, and Ansible to automate everything about a Splunk cluster.
Intro The Who, the What, the Why, and the How Hands on Keys – Live Demo Summary, Questions, Extra Deep Dives On the Agenda Today...
Prerequisites – Terms and Tools • Basic understanding of AWS and cloud computing platforms • Aware of configuration management/orchestration tools such as Terraform and Ansible • Aware of the concepts of Docker • Need to have a basic understanding of Splunk and a Splunk cluster • PLEASE ASK QUESTIONS.
The Who – Me, MISI, and DreamPort • Bill Cawthra - Cloud Infrastructure Architect • I play with little fluffy clouds all day (AWS, Google Cloud, Azure) • MISI/DreamPort - Support and help develop various cyber security projects through collaboration with .gov, private industry, community, and .edu • DreamPort projects – over 20 projects/AWS environments, usually 30-90 days long (some are notably longer) • https://misi.tech/#about • https://dreamport.tech/about-us.php
The What and the Why - The Splunk Evaluation • We wanted to build a Splunk cluster to analyze it's machine learning capabilities. • The data set was 9 TB of Zeek data • 20 users accessing this data at a time (so fairly light on the frontend) • But very intense work done on the backend (indexers) • Big beefy i3.8xlarge instances… Use the instance-store for fast IO (but ephemeral! Therefore we used Splunk SmartStore) • With the help of many people at Splunk (Bryan Pluta, Tyler Muth, Matt Toth, and others), we came up with a design to fit these requirements • We are going to use AWS, Terraform, and Ansible as our tools of choice
The How - AWS • Amazon Web Services; provides an on-demand computing platform • "Elastic" resources • Allows us to rapidly scale out and scale down • Very easy to manage many disparate projects • Best datacenter money can buy
The How - Terraform • Our infrastructure configuration tool of choice • This "frames the house"; creating the AWS resources (VPC, security groups, instances, IAM policies, IAM roles, S3 buckets, etc) • Enforces configuration from the very start (no GUI. No artisinally crafted architecture)
The How - Ansible - Drywall, Paint, and Fixtures • Our automation and configuration management tool of choice • Handles configuration of systems • Handles automation tasks (upgrade and reboot of systems… and ingest orchestration!) • Does everything after the "house is framed"
The How - Docker • Easy binary management (example: to upgrade, just docker pull splunk:<VERSION>) • The splunk-docker project makes it very easy to assign roles, access variables
The How - Infrastructure Diagram
Before We Go Live • I will be covering things at a high level • I will be skipping many things • Ask questions if you want to see XYZ • Look at the code on your own too! • It’s tricky to balance being concise in a talk and detail of the code • Need to avoid turning this into a code review session… • If something looks confusing or wrong, I probably made a mistake.
Before We Go Live - Resources • https://github.com/TheDreamPort/splunk-infrastructure (santiized version of this project) • Also great references: • https://splunk.github.io/splunk-ansible/ - Splunk Ansible reference • https://splunk.github.io/docker-splunk/ - Splunk Docker
TO THE TERMINAL AND BROWSER
Conclusion • We automate automate automate • Which means, we configure/deploy everything programmatically • Ingest is automated • Makes it so easy to redo • Break up the automation into logical pieces • It is not fun having a single mega-script
Extra Notes - Splunk Ingest • Ingest the 9TB of data in batches (basically did it a month at a time) and wait for completion • Limited disk space on the ingesters • Minimize impact of mistakes • Had to be very specific on what was ingested; did not want to duplicate data • Ingest process would attempt to detect if a file had been ingested • Had to verify data was properly ingested (document count of files vs document count in Splunk)
Extra Notes - Monitoring and Logging • Delicious dashboards using Grafana • Graphs the Prometheus metric data • Can graph Loki events too (logs)
Questions? Comments?

More Related Content

PDF
Village office manual - kerala Land Revenue manual vol 6 uploaded by James ...
byJamesadhikaram land consultancy 9447464502
 
PDF
Cseet syllabus
byAnand Rajan
 
PPTX
Anti asthmatic drugs
byShikhaSachde
 
PPT
Veterinary gasteroenterolgy
bysuniu
 
PPTX
Screening models diuretics and analgesics
byRohitPal122
 
PPTX
screening of hypoglycemic agent
byAzhar iqbal
 
PPT
Introduction to Diabetes & anti diabetic drug screening methods
byAnurag Raghuvanshi
 
PPTX
SCREENING MODEL OF ANTI-EPILEPTICS
byDivya
 
Village office manual - kerala Land Revenue manual vol 6 uploaded by James ...
byJamesadhikaram land consultancy 9447464502
 
Cseet syllabus
byAnand Rajan
 
Anti asthmatic drugs
byShikhaSachde
 
Veterinary gasteroenterolgy
bysuniu
 
Screening models diuretics and analgesics
byRohitPal122
 
screening of hypoglycemic agent
byAzhar iqbal
 
Introduction to Diabetes & anti diabetic drug screening methods
byAnurag Raghuvanshi
 
SCREENING MODEL OF ANTI-EPILEPTICS
byDivya
 

What's hot

PDF
Seminar on parasympathomimetic and parasympatholytic converted
byB V V S Hanagal Shri Kumareshwar College of Pharmacy, Bagalkote
 
PPT
Amphetamines - Recommendations for Appropriate Use
byAlexandria Polles
 
PPTX
SCREENING OF METHOD EMETIC ANTIEMETICS
byDhanashri Prakash Sonavane
 
PPTX
Screening of anti ulcer agents
byDeepmalya Ghosh
 
PPTX
Injectable barbiturates
byWarson Monsang
 
PPTX
Screening methods in pharmacology
byTanuJa4
 
PDF
4.3 neuromuscular blocking agents and Myasthenia Gravis drugs
bySaroj Suwal
 
PPTX
Evaluation of antidepressants.pptx
byMerlin Dinesh
 
PPTX
Pharmacological Screening of Anti Arrhythmic Drug
byjatinsaini78
 
PPTX
Screening of antipyretic drugs
bydrarunsingh4
 
PPTX
Antipyretic - pharmacological and toxicological screening methods
byPriyashreeK1
 
PPTX
Presentation1.pptx
byDHWANIPATEL873852
 
PPTX
Laboratory Animals - Taxonomic Classification
byDr Vysakh Mohan M
 
PPTX
Anti psychotic screening methods
bySurpriseSurendhar
 
PPTX
Screening of antidepressant agents
byDr. Partha Sarkar
 
PPTX
Evaluation of anti epileptic drugs practical
byAkshil Mehta
 
PPTX
Screening of Drugs acting on ANS
byJaineel Dharod
 
PPTX
Bioassay
byNaser Tadvi
 
PPTX
Analgesic screening methods
byshubhaasharma
 
PPTX
Screening of analgesics
byAsma Ashraf
 
Seminar on parasympathomimetic and parasympatholytic converted
byB V V S Hanagal Shri Kumareshwar College of Pharmacy, Bagalkote
 
Amphetamines - Recommendations for Appropriate Use
byAlexandria Polles
 
SCREENING OF METHOD EMETIC ANTIEMETICS
byDhanashri Prakash Sonavane
 
Screening of anti ulcer agents
byDeepmalya Ghosh
 
Injectable barbiturates
byWarson Monsang
 
Screening methods in pharmacology
byTanuJa4
 
4.3 neuromuscular blocking agents and Myasthenia Gravis drugs
bySaroj Suwal
 
Evaluation of antidepressants.pptx
byMerlin Dinesh
 
Pharmacological Screening of Anti Arrhythmic Drug
byjatinsaini78
 
Screening of antipyretic drugs
bydrarunsingh4
 
Antipyretic - pharmacological and toxicological screening methods
byPriyashreeK1
 
Presentation1.pptx
byDHWANIPATEL873852
 
Laboratory Animals - Taxonomic Classification
byDr Vysakh Mohan M
 
Anti psychotic screening methods
bySurpriseSurendhar
 
Screening of antidepressant agents
byDr. Partha Sarkar
 
Evaluation of anti epileptic drugs practical
byAkshil Mehta
 
Screening of Drugs acting on ANS
byJaineel Dharod
 
Bioassay
byNaser Tadvi
 
Analgesic screening methods
byshubhaasharma
 
Screening of analgesics
byAsma Ashraf
 

Similar to Using AWS, Terraform, and Ansible to Automate Splunk at Scale

PDF
Infrastructure as Code
byAlbert Suwandhi
 
PPTX
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
byBobby DeVeaux, DevOps Consultant
 
PPTX
Customer Presentation - Financial Services Organization
bySplunk
 
PDF
Cluster-as-code. The Many Ways towards Kubernetes
byQAware GmbH
 
PDF
Hashicorp at holaluz
byRicard Clau
 
PPTX
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
byHarry McLaren
 
PDF
Deploying Plone on AWS
byT. Kim Nguyen
 
PDF
What we talk about when we talk about DevOps
byRicard Clau
 
PDF
Greenfields tech decisions
byTrent Hornibrook
 
PDF
Server’s variations bsw2015
byLaurent Cerveau
 
PDF
Comment choisir entre Parse, Heroku et AWS ?
byTheFamily
 
PPTX
Hot to build continuously processing for 24/7 real-time data streaming platform?
byGetInData
 
PDF
Five Years of EC2 Distilled
byGrig Gheorghiu
 
PPTX
Kubernetes Infra 2.0
byDeepak Sood
 
PDF
SFBA Splunk Usergroup meeting March 13, 2024
byBecky Burwell
 
PPTX
Openstack Summit Tokyo 2015 - Building a private cloud to efficiently handle ...
byPierre GRANDIN
 
KEY
Cloud Computing: Amazon AWS and EC2
byTeamskunkworks
 
PPTX
Splunk n-box-splunk conf-2017
byMohamad Hassan
 
PDF
6 Months Sailing with Docker in Production
byHung Lin
 
PPTX
SplunkLive! London 2017 - DevOps Powered by Splunk
bySplunk
 
Infrastructure as Code
byAlbert Suwandhi
 
Scaling Your App With Docker Swarm using Terraform, Packer on Openstack
byBobby DeVeaux, DevOps Consultant
 
Customer Presentation - Financial Services Organization
bySplunk
 
Cluster-as-code. The Many Ways towards Kubernetes
byQAware GmbH
 
Hashicorp at holaluz
byRicard Clau
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
byHarry McLaren
 
Deploying Plone on AWS
byT. Kim Nguyen
 
What we talk about when we talk about DevOps
byRicard Clau
 
Greenfields tech decisions
byTrent Hornibrook
 
Server’s variations bsw2015
byLaurent Cerveau
 
Comment choisir entre Parse, Heroku et AWS ?
byTheFamily
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
byGetInData
 
Five Years of EC2 Distilled
byGrig Gheorghiu
 
Kubernetes Infra 2.0
byDeepak Sood
 
SFBA Splunk Usergroup meeting March 13, 2024
byBecky Burwell
 
Openstack Summit Tokyo 2015 - Building a private cloud to efficiently handle ...
byPierre GRANDIN
 
Cloud Computing: Amazon AWS and EC2
byTeamskunkworks
 
Splunk n-box-splunk conf-2017
byMohamad Hassan
 
6 Months Sailing with Docker in Production
byHung Lin
 
SplunkLive! London 2017 - DevOps Powered by Splunk
bySplunk
 

More from Data Works MD

PDF
RAPIDS – Open GPU-accelerated Data Science
byData Works MD
 
PPTX
Robotics and Machine Learning: Working with NVIDIA Jetson Kits
byData Works MD
 
PDF
Detecting Lateral Movement with a Compute-Intense Graph Kernel
byData Works MD
 
PDF
Introduction to Machine Learning
byData Works MD
 
PPTX
Introducing DataWave
byData Works MD
 
PDF
Connect Data and Devices with Apache NiFi
byData Works MD
 
PDF
Jolt’s Picks - Machine Learning and Major League Baseball Hit Streaks
byData Works MD
 
PPTX
Two Algorithms for Weakly Supervised Denoising of EEG Data
byData Works MD
 
PPTX
Social Network Analysis Workshop
byData Works MD
 
PPTX
Data in the City: Analytics and Civic Data in Baltimore
byData Works MD
 
PDF
Malware Detection, Enabled by Machine Learning
byData Works MD
 
PPTX
Introduction to Elasticsearch for Business Intelligence and Application Insights
byData Works MD
 
PPTX
Exploring Correlation Between Sentiment of Environmental Tweets and the Stock...
byData Works MD
 
PPTX
Automated Software Requirements Labeling
byData Works MD
 
PPTX
An Asynchronous Distributed Deep Learning Based Intrusion Detection System fo...
byData Works MD
 
PDF
Predictive Analytics and Neighborhood Health
byData Works MD
 
PPTX
Data Journalism at The Baltimore Banner
byData Works MD
 
PDF
A Day in the Life of a Data Journalist
byData Works MD
 
RAPIDS – Open GPU-accelerated Data Science
byData Works MD
 
Robotics and Machine Learning: Working with NVIDIA Jetson Kits
byData Works MD
 
Detecting Lateral Movement with a Compute-Intense Graph Kernel
byData Works MD
 
Introduction to Machine Learning
byData Works MD
 
Introducing DataWave
byData Works MD
 
Connect Data and Devices with Apache NiFi
byData Works MD
 
Jolt’s Picks - Machine Learning and Major League Baseball Hit Streaks
byData Works MD
 
Two Algorithms for Weakly Supervised Denoising of EEG Data
byData Works MD
 
Social Network Analysis Workshop
byData Works MD
 
Data in the City: Analytics and Civic Data in Baltimore
byData Works MD
 
Malware Detection, Enabled by Machine Learning
byData Works MD
 
Introduction to Elasticsearch for Business Intelligence and Application Insights
byData Works MD
 
Exploring Correlation Between Sentiment of Environmental Tweets and the Stock...
byData Works MD
 
Automated Software Requirements Labeling
byData Works MD
 
An Asynchronous Distributed Deep Learning Based Intrusion Detection System fo...
byData Works MD
 
Predictive Analytics and Neighborhood Health
byData Works MD
 
Data Journalism at The Baltimore Banner
byData Works MD
 
A Day in the Life of a Data Journalist
byData Works MD
 

Recently uploaded

PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
PDF
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
PDF
Embracing Karpenter to scale, optimise and upgrade Kubernetes
byMarko Bevc
 
PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PDF
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
PDF
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PDF
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
PPTX
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PDF
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
Memo No.3006141 dt.25.10.2025- SOP for Grant of Online Change Of Land Use
byRaghu Ram
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
Embracing Karpenter to scale, optimise and upgrade Kubernetes
byMarko Bevc
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
Memo No.3006141 dt.25.10.2025- SOP for Grant of Online Change Of Land Use
byRaghu Ram
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 

Using AWS, Terraform, and Ansible to Automate Splunk at Scale

  • 1.
    Using AWS, Terraform,and Ansible for DreamPort Projects - the Splunk Cluster How we used (and are still using) tools such as AWS, Terraform, and Ansible to automate everything about a Splunk cluster.
  • 2.
    Intro The Who, theWhat, the Why, and the How Hands on Keys – Live Demo Summary, Questions, Extra Deep Dives On the Agenda Today...
  • 3.
    Prerequisites – Termsand Tools • Basic understanding of AWS and cloud computing platforms • Aware of configuration management/orchestration tools such as Terraform and Ansible • Aware of the concepts of Docker • Need to have a basic understanding of Splunk and a Splunk cluster • PLEASE ASK QUESTIONS.
  • 4.
    The Who –Me, MISI, and DreamPort • Bill Cawthra - Cloud Infrastructure Architect • I play with little fluffy clouds all day (AWS, Google Cloud, Azure) • MISI/DreamPort - Support and help develop various cyber security projects through collaboration with .gov, private industry, community, and .edu • DreamPort projects – over 20 projects/AWS environments, usually 30-90 days long (some are notably longer) • https://misi.tech/#about • https://dreamport.tech/about-us.php
  • 5.
    The What andthe Why - The Splunk Evaluation • We wanted to build a Splunk cluster to analyze it's machine learning capabilities. • The data set was 9 TB of Zeek data • 20 users accessing this data at a time (so fairly light on the frontend) • But very intense work done on the backend (indexers) • Big beefy i3.8xlarge instances… Use the instance-store for fast IO (but ephemeral! Therefore we used Splunk SmartStore) • With the help of many people at Splunk (Bryan Pluta, Tyler Muth, Matt Toth, and others), we came up with a design to fit these requirements • We are going to use AWS, Terraform, and Ansible as our tools of choice
  • 6.
    The How -AWS • Amazon Web Services; provides an on-demand computing platform • "Elastic" resources • Allows us to rapidly scale out and scale down • Very easy to manage many disparate projects • Best datacenter money can buy
  • 7.
    The How -Terraform • Our infrastructure configuration tool of choice • This "frames the house"; creating the AWS resources (VPC, security groups, instances, IAM policies, IAM roles, S3 buckets, etc) • Enforces configuration from the very start (no GUI. No artisinally crafted architecture)
  • 8.
    The How -Ansible - Drywall, Paint, and Fixtures • Our automation and configuration management tool of choice • Handles configuration of systems • Handles automation tasks (upgrade and reboot of systems… and ingest orchestration!) • Does everything after the "house is framed"
  • 9.
    The How -Docker • Easy binary management (example: to upgrade, just docker pull splunk:<VERSION>) • The splunk-docker project makes it very easy to assign roles, access variables
  • 10.
    The How -Infrastructure Diagram
  • 11.
    Before We GoLive • I will be covering things at a high level • I will be skipping many things • Ask questions if you want to see XYZ • Look at the code on your own too! • It’s tricky to balance being concise in a talk and detail of the code • Need to avoid turning this into a code review session… • If something looks confusing or wrong, I probably made a mistake.
  • 12.
    Before We GoLive - Resources • https://github.com/TheDreamPort/splunk-infrastructure (santiized version of this project) • Also great references: • https://splunk.github.io/splunk-ansible/ - Splunk Ansible reference • https://splunk.github.io/docker-splunk/ - Splunk Docker
  • 13.
    TO THE TERMINALAND BROWSER
  • 14.
    Conclusion • We automateautomate automate • Which means, we configure/deploy everything programmatically • Ingest is automated • Makes it so easy to redo • Break up the automation into logical pieces • It is not fun having a single mega-script
  • 15.
    Extra Notes -Splunk Ingest • Ingest the 9TB of data in batches (basically did it a month at a time) and wait for completion • Limited disk space on the ingesters • Minimize impact of mistakes • Had to be very specific on what was ingested; did not want to duplicate data • Ingest process would attempt to detect if a file had been ingested • Had to verify data was properly ingested (document count of files vs document count in Splunk)
  • 16.
    Extra Notes -Monitoring and Logging • Delicious dashboards using Grafana • Graphs the Prometheus metric data • Can graph Loki events too (logs)
  • 17.

Editor's Notes

  • #11 Splunk search-head (1) c5d.12xlarge (48 vCPU 96GB) Splunk indexer (9) i3.8xlarge (32 vCPU 244 GB each) 7600 GB of instance storage Splunk universal-forwarders (4) i3.2xlarge (8 vCPU 61 GB each) 1900 GB of instance storage Splunk master-node (1) i3.large (2 vCPU 15 GB) Splunk monitor (1) i3.large (2 vCPU 15 GB)
  • #12 If you want to follow along or poke around the code and find the flaws, go here.
  • #13 If you want to follow along or poke around the code and find the flaws, go here.