Crumpled paper and light bulb

What to Expect When You’re Expecting a Splunk Consultant

I’ve worked with several dozen Splunk customers in a variety of businesses, at scales from a single-VM proof-of-concept to hundreds of terabytes a day, and while we try to cover a lot of what I’m going to talk about in a kickoff call before your consultant shows up, these are good things to have in mind.


This is the single biggest pain point I see in the field on Day One: how do I access your environment?  Is it managed by your company, or is it in Splunk Cloud?  If this is not worked out ahead of time, it’s common to lose hours waiting to get a VPN account set up or find and configure a loaner laptop.  Sometimes this is unavoidable, but if at all possible, get as much of this approved and completed as you can.  In my experience, when a consultant is coming onsite if it is feasible to use a loaner machine that tends to work smoothly.

Consider what permissions are necessary to do the work and what is acceptable in your organization.  For example, a Splunk installation or upgrade will require root access – do your policies allow a Splunk consultant to have that?  If not, does your consultant’s contact during the engagement have the necessary permissions, or do you need to arrange some time with someone on your server administration team?  The same goes for Admin access in the Splunk UI or access to your Splunk Cloud account.

Last but not least, do you know your Splunk admin account password?  You need it to perform a lot of important functions in Splunk, and work can stall out if you do not know or have access to those credentials.

Help From Others

If part of your Splunk PS engagement is integrating with other systems, such as setting up DBConnect against one of your databases, gathering data from AWS or Microsoft Cloud Services, or sending alerts to a ticketing system’s API, we will need to work with administrators on other teams.  Be sure to set up a time with those resources during the engagement.

Phone Numbers

If your Splunk consultant is coming onsite, be sure to provide phone numbers for two people they can contact if they are unable to access your office or missed a subway stop on the way in.

Plan B for the Splunk Consultant

Make a plan for what to do if you are unexpectedly unable to work with your Splunk consultant during the engagement.  Many of my customers are not full-time Splunk gurus. If it happens that you were up all night addressing a SAN crash, or you’re called away to a surprise day-long offsite meeting, or you get the flu midweek, is there someone else who can answer questions if they come up?

Stretch Goals

We might finish early or find ourselves unable to start on something we expected to do.  It’s good to have a few extra things in mind to tackle during that “general consulting” time, so put together a list of things you’d like to learn about or fix.  Maybe it’s a dashboard you want to perform better, or you want to learn how to create an alert, or you’d like us to teach a developer team how to Splunk their application logs.  We want you to get your money’s worth.

About SP6

SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.