Splunk User Groups are comprised of Splunk users located within a common geographical location that want to learn and network with like-minded people who are passionate about what they do.
Here at Function1 we use Slack in order to stay in constant contact with our co-workers. If you haven't heard of Slack before, Slack is a team chat and communication tool. We use it to talk about our projects, company announcements, sports, random water cooler talk, technical questions, etc. Slack has integration built-in with a lot of services. Slack is a new way to communicate with your team. It’s faster, better organized, and more secure than email.
Goals of a User Group
The goal of a Splunk User Group is to create an authentic, open forum for users to share technical details of their use cases, stories, difficulties, successes, and generally enjoy like-minded company.
User groups are not channels for sales, marketing, or recruitment for Splunk or anyone else participating in the group. They should be focused on content that appeals to the community.
Starting a User Group
From the user group website, search for a Splunk user group in your area. If one does not exist, the website displays two options:
- You can request to start a user group in your area. The Splunk Community team will get in touch with you to confirm your interest and answer any questions you have before completing the process of setting up your new user group and installing you as the leader. Typically, Splunk tries to ensure that there's a critical mass of users in a given geographical area before starting a user group.
- If you don't want to lead a new group, you can request to be notified when a user group starts in your area.
There are five main components of starting and hosting a successful Splunk User Group:
- Members
- Leaders
- Venue
- Content
- Cadence
Members
User group members are a mix of Splunk users, power users, admins, architects, developers, and people who have never used Splunk at all that are interested in learning from one another's experience.
Attendees come from various industries ranging from IT, security, IoT, healthcare, finance, and beyond, bringing different perspectives that help foster discussion, growth, and exploration amongst the group.
Finding and Connecting with Members
- Network with other users who are already big fans of Splunk to help you start the group. If you don't yet have that, or you don't yet know your local Splunk users well enough to know who you can partner with effectively to make this successful, it's fine to wait until you think it has a good chance of getting off the ground. You can also check with your local and regional account managers for ideas. Contact a member of the Community team (usergroups@splunk.com) if you need an introduction to an account manager.
- Many Splunk user groups have their own channels on the Splunk Community Chat on Slack (splunk-usergroups) to stay connected with users in their local area. If you are not part of the splunk-usergroups Slack team yet, send a request through https://splk.it/slack.
- There is also a private channel for user group leaders. After you are on Slack, a Splunk Community team member can add you to the channel to connect and learn from the ideas and best practices of user group leaders around the world.
Leaders
User group leaders are the face of the local Splunk community. Since user groups are for the user, by the user, it is a best practice to have a customer in a primary leadership position.
Leader Best Practices
Ideally, a user group has 2-3 leaders comprised of customers, Splunk Partners, and Splunk Sales Engineers.
- 1-3 Splunk Customers
- Customers are the key to the Splunk community and work with the SE to plan meetings, secure venues, weigh in on content, and engage the community. They are the voice of the local Splunk User Community and the liaison to their local Splunk team.
- When there are multiple customers on a leadership team, it works best if at least two are from different companies, as they provide different perspectives and are not busy with the same projects at the same time.
- Splunk Partner
- A partner essentially plays the same role as a customer, but ideally they should be on the leadership team in addition to a customer.
- Splunk Sales Engineer (SE) or other Splunkers
- A Splunk SE can be highly involved as a resource to the rest of the user group leadership. They provide Splunk support and technical product information and are welcome to co-plan/lead with the customer and partner leaders. Splunk employees are not required to start up a user group, but often they are happy to provide guidance and support.
Venue
Venues are spaces in which to hold User Group meetups.
Venue Best Practices
Things to consider when selecting a venue
- Pick a location that is central or easily accessible to most of your members.
- If there is a mix of users both in the city and in the suburbs, consider alternating between suburban and city locations for each meetup.
- If a large city or geographical region is divided; for example- if people who work and live on the north generally don't travel to the south side of the city and vice-versa, or cross a certain highway for events, try alternating to different parts of the city to make the User Group accessible to all members. (Note: This is only if there are actually members/ customers in these different parts of the city or region. If one area of the city is only retail stores, for example, then this is not necessary.)
- Get the details on parking, public transit, etc.
- Make sure the venue is accessible to people of all abilities.
Suggestions for venue locations
- Office Conference Room
- Reserve a conference room where you work. This is typically the most affordable and consistent venue option for a User Group.
- If you have multiple customer and partner leaders in your user group, you can take turns hosting the meetup to keep things interesting and for the convenience of members who are traveling from different areas of your city.
- If nearly every user group meetup is in an office conference room, change it up a couple times per year to make it a little more exciting for the users. Host a User Group holiday party at a restaurant or pub, get the group together for a quick presentation at an event room at a movie theater then have seats reserved to watch the latest action movie afterward, or host a volunteer night at a nonprofit and either do a quick presentation then volunteer together at the organization, or skip content this time and host a SplunkForGood (volunteering) bonding experience.
- Restaurant or Pub meeting room
- Many restaurants and bars/pubs have private event spaces. Some things to ask the venue before booking:
- * Do they have A/V capabilities? TVs or projector? Sound? WiFi? Get the full details.
- * Is there a food and beverage minimum or fee to hold the space? If there is, your local SE may be able to help you out. If you can avoid a space that requires a credit card deposit or minimum, even better.
Content
User Group content should always be focused on current Splunk users. Technical topics and/or professional development are key.
Content Best Practices
- Use a visual aid.
- PowerPoint presentations work well to show examples and visually explain use cases, solutions, and issues. It's also the best way to show dashboards and visualizations.
- Screenshots and images in PowerPoint are always a safer bet than relying on venue Wifi. Also bring your presentation on a USB drive and email it to yourself as backup.
- White boards, etc are also helpful. Just make sure the venue has what you need available before your meetup.
- Presentation material should last no longer than 30 minutes each. It's best practice to plan about 20-30 minutes of content and 10-20 minutes of interaction/ Q&A. Get the audience involved!
- Plan no more than 3 content items per meetup. It's good practice to include a Spunk update from a local SE in the beginning, followed by a user presentation/ use case, round table discussion, or something else focused on the user and not presented by Splunk.
- Some user group leaders record meetings or stream them on YouTube for those who were unable to attend.
Content and Activities – Suggestions and Ideas
- Activities
- SPL-ing Bee
- BOTS
- Splunk Jeopardy
- Q&A panel with local Splunk tech services (PS/SE/etc) people mixed in with the experienced customers
Get in touch with other User Group leaders or the Community team for advice on how
- Workshops
- Let the group help resolve the 'worst search' or an 'inefficient architecture' scenario or other performance issues with real or obfuscated data. Workshops are especially great to do when a relevant expert is in town.
- Sharing
- Stream your meetings on YouTube so remote people can still attend.
- Presentation Topics
Ideas |
---|
|
Swag and Expenses
You can expense food, drink, and swag for meetings. We ask that you try to spend no more than $15 per person per meeting. Please contact the Splunk Community Manager if you want to do something special or unusually expensive.
If you are a Splunk employee or contractor, use the expense reporting category called Splunk User Group Reimbursement.
If you are a partner or a customer, contact the Splunk Community Manager for the expense form. Please keep your itemized receipt! Expenses are reimbursed by check within the US and by wire transfer outside the U.S.
If you are a customer who works closely with your SE on User Groups, you may be able to work with your SE to have them purchase food and beverage on their expense account while you use the $15/user for swag, or vice-versa.
Cadence
Splunk Slack Alert
The cadence is the steady frequency at which a user group meets.
Cadence Best Practices
The minimum that any User Group should meet is quarterly, and many successful groups meet monthly or every other month. These monthly or bi-monthly meetups keep the User Group as top of mind for members, and if they have to miss one, they don't have to wait an entire quarter for the next one.
Having a consistent cadence is key. For example, the San Francisco group meets the first Wednesday of the month. This way, the members know what to expect, and can block time off on their calendars for future meetings.
Even if just a few members show up from time to time, don't cancel—it's a club, and people should be able to rely on the meeting happening.
Many User Groups hold a .conf-themed meetup after Splunk's annual .conf event. This way, the local SE or Splunker can share any new announcements or interesting technical presentations from .conf, which not every customer has a chance to attend. Even if this does not fall within the typical cadence, 'extra' meetups such as these are valuable.
Tips for growing your group
Wait until the time is right. What happens with a lot of user groups (not necessarily Splunk) is that they get started without enough local support, and they have one or two meetings, and then *crickets*.
Attend other technical meetups and industry events and make connections. Share all User Group meetups on your professional social networks- LinkedIn, Twitter, etc. Post photos after the event- show your network what they've missed so they'll join next time.
Look for quality over quantity. If you have 5-10 people meeting regularly and truly sharing their Splunk triumphs and problems with each other, the group is a success.
The Slack Audit Logs API is for monitoring the audit events happening in a Slack Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow the user to audit suspicious behavior within the enterprise. This essentially means it is an API to know who did what and when in the Slack Enterprise Grid account.
Enterprise Grid is a 'network' of two or more Slack workspace instances. Each Slack workspace has its own ID, its own directory of members, its own channels, conversations, files, and zeitgeist.
We are excited to announce the Slack Add-on for Splunk, that targets this API as a brand new data source for Splunk.
For more information on the audit logs API, please refer to the Slack Documentation and to get a complete list of all audit actions, refer to this link as the Source of Truth.
Slack Components
There are 2 main considerations to note on the Slack side:
- Enterprise Grid Account: Audit Logs API is only available to Slack workspaces on Slack Enterprise Grid. These API methods will not work with Free, Standard, or Plus plans.
- The earliest possible timestamp is when the Audit Logs feature was enabled for the Grid Organization, around mid-March 2018. Additionally, logs for events that have taken place before this feature became available to organizations that may have migrated to Grid (after 2018), will not be available.
Splunk Setup Overview
- Download and install the Splunk Add-on for Slack
- Configure an audit input for a given Enterprise account
- Generate Access Token
Download and Install the Splunk Add-on for Slack
The Splunk Add-on for Slack is listed on Splunkbase.
Configure an Audit Input for a Given Enterprise Account
The configuration steps are common for both on-prem and cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the Splunk homepage.
3. Click on the Configuration tab and then Click on the “Add” button.
4. Enter a unique name for the Global Account. This doesn’t have to be the name of your Enterprise Grid Slack Account. This will only be used on the splunk side for configurations.
5. Access Token (required): See the “Generate Access token” section below for detailed instructions on how to generate this. Alternatively, you can bring your own xoxp-token with the auditlogs:read scope. Please contact your Slack account team or feedback@slack.com (Opens in new tab) for up to date instructions on how to generate the token.
6. Click on the Create New Input button on the top right corner of the Input page.
7. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be slack_audit, if using in conjunction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format yyyy-mm-dd hh:mm:ss. The default has been set to 2018-01-01 00:00:00.
- Enterprise Slack Account (required): Select the global Slack account that you configured on steps 4 and 5.
5. Click on Add to save the input.
6. To check for any logs or errors, navigate to the Search tab and enter the below search index=_internal source='*ta_slack_add_on_for_splunk_*.log'.
Generate Access Token
1. Click on the Add to Slack button to initiate the Authentication flow.
2. Sign into your organization's Enterprise Grid Slack account from the Sign in page. Please note: Audit logs can only be retrieved by the org owner in a Slack Enterprise Grid account.
3. You will be presented with a screen to authorize the Slack Audit API App to collect the audit log information from your Enterprise Grid account. Click on Content and info about you and the Administer Slack for your organization options to see what the app can view. Should you see this screen, skip step 4 and proceed onto 5.
4. If you are not presented with the content in Step 3, close the dialog box and re-initiate the authentication process from Step 1.
5. Click on Allow to generate your access token.
6. The access token should now be generated. On the Access Token Generated page, click on the Copy Access Token button to copy the token to your clipboard and close the pop up window.
7. Manually paste the Access token into the Access Token text box of your Input configuration page.
8. The Access token should be about 79-80 characters long. If the character length of the pasted token isn't roughly the same size, re-initiate the authentication process to generate the token from Step 1.
And that's it. We have built an app to visualize the data brought into Splunk. Head on over to the Slack Audit App for Splunk to see this data inside the already pre-built dashboards.
View our Tech Talk: Platform Edition, Getting Slack Data into Splunk on demand.
Splunk Slack Message Formatting
Happy Splunking!