Know Your Splunkers


I get asked all the time by customers and recruiters, “What does a Splunk Developer do?” A simple question and a good one. So often I see Splunk roles being advertised with skill sets that just don’t work together.

So to jump straight into this I thought I’d clarify the various skills of Splunk roles

Power User

This is typically someone who works “for the business” but has been trained in using Splunk on a day to day basis. They can search, understand the data sources available to them, can build reports and might dabble in some alerts.

Splunk Administrator

This is the person “keeping the lights on”. These are the people who build and maintain the servers, install and configure the forwarders, make sure that everything is running within acceptable limits. They typically plan for the system growth and get involved in Splunk projects along the way. They are usually part of the Data Center or Server teams and report to the business who owns Splunk. (Most likely the CIO.)

Splunk Developer

The mythical Splunk Developer, I’m thinking Buttercup with a horn. This is the person who builds searches, alerts, reports and visualizations either from scratch or from the “internal skunkworks” and optimizes them. We often incorporate corporate logos, styles and generally clean stuff up. It’s all about making it look professional and usable for the wider company audience. We also understand how to best present different data types to different audiences. Things like the techos liking bar charts but execs loving their scorecards.
We would often do large amounts of the business analyst work. Developers are often part of Splunk projects from their beginning. In this way we can ensure that the outcomes scoped are achievable and advise on how other Splunk projects can re-use data or reports and visualizations, etc. to best effect.

Splunk Architect

These are the people to design the Splunk platform from the blank sheet of paper. They detail how many forwarders, indexers and search heads. They know the hardware required and will assess the growth of the architecture based on their enterprise wide knowledge to “future proof” the platform. This is where the Splunk strategy lives.
So keep in mind that these Splunk roles are actually very different. Asking for someone who is going to write searches, install and deploy servers and forwarders, consult with the business, and architect the platform is a little like asking a mechanic to re-wire your office, cater the Christmas party, and fly the family on an OS holiday. These roles all need very different personalities, and very different skillsets.  You need to work out what you need done and hunt down the right resource. Splunk in Australia has only really “ramped up” in the past few years, so even for the most experienced dedicated Splunk heads, you are only going to get 3 to 4 years of experience out of some of the biggest Aussie brands. Most smaller companies haven’t dedicated staff to Splunk for nearly that long so this needs serious consideration when looking for resources.

Splunk is growing exponentially and the market roles are beginning to mature around the product. This will only continue but I hope by explaining this in more detail I can save you from some of the confusion I witnessed.

Share this Post

Leave a Reply

Your email address will not be published. Required fields are marked *