Value Acceleration Program for Splunk

Frequently Asked Questions (FAQs)


Is SP6’s Value Acceleration Program for Splunk designed to replace an organization’s own in-house Splunk Admin?

It depends. 

Splunk recommends that all organizations ingesting over 1 TB of data per day have a full-time Splunk admin. If this admin is fully dedicated to Splunk, you may not need outside assistance. Most of the time, however, organizations need additional, fractional guidance because: 

  • Their admin is spread across multiple solutions, not allowing them enough time to (a) properly administer Splunk or (b) develop the proper Splunk expertise. 
  • They only have one Splunk resource, meaning critical Splunk-related work might come to a standstill when that person leaves their role. 

The consequences of these situations are dire: an expensive solution being massively underutilized, data feeds dropping, and compliance issues arising. 


Is part of SP6’s Value Acceleration Program outsourced MDR / vSOC services?

No. SP6 does not outsource security analysts or MDR for SOCs or NOCs. Our expertise lies in maximizing the technologies that these staff members rely on. 

Most of our customers maintain their own in-house security analysts. For customers that want to outsource 24/7 security monitoring, however, SP6 provides partnerships with 3rd party MSSPs (Managed Security Service Providers). We’ll manage the platform, and the MSSP will handle the 24/7 monitoring and alerting. 


Is Splunk administration (in-house or outsourced) needed when utilizing Splunk’s SaaS product, Splunk Cloud?

Absolutely. The only component of Splunk Cloud that Splunk’s Cloud Operations Team manages is the infrastructure the software sits on. It’s still the customer’s responsibility to manage: 

  • Domain advisement 
  • License management and data governance 
  • Data ingest (including forwarders that need to be actively managed and updated) 
  • Creation of custom content (reports, dashboards, alerts, etc.) 
  • Data normalization 
  • Much more 


How is SP6’s Acceleration Program for Splunk Priced?

SP6 examines each customer Splunk environment uniquely to calculate the overall level of effort required to perform the ongoing monthly services. Each client receives a bundle of Base Services (think of this as the baseline ‘care and feeding’ of Splunk) as well as a set, calculated number of monthly Service Credits.  

Pricing determinants include: 

  • Size of Splunk license 
  • # of data sources feeding into Splunk, which dictates the # of integrations that need to be supported 
  • # of Splunk users 
  • # of Splunk premium apps, if any (ES, ITSI, etc.) 
  • Extent to which customer is currently administering Splunk and their level of expertise 
  • Complexity of Splunk environment (# of instances, if architected for high availability, etc.) 
  • Customer change control process 


Does SP6 host the infrastructure that Splunk resides on?

No. SP6 does not manage the infrastructure that Splunk is deployed to. This infrastructure is either managed by the customer, their Cloud Service Provider (CSP), or Splunk Cloud.  

Our service is “co-managed” because SP6 is responsible – along with the customer – for managing the Splunk software itself. This involves creating custom content such as reports, dashboards, and alerts, managing and troubleshooting issues tied to data collection (forwarders, heavy forwarders, syslog, etc.), assisting with data governance and normalization, and any other necessary activities. 


Can and does SP6 support all Splunk products?

Yes. SP6 supports all Splunk products and solutions, including premium apps such as Enterprise Security, ITSI, Splunk SOAR, Splunk Observability Suite, and Splunk On-Call. 

To tackle these different solutions, SP6 has two primary teams of Splunk experts: InfoSec experts and IT Operations/Observability experts. We also have pure platform experts for customers that require pure back-end platform engineering. 


Splunk and other service providers offer similar, but not-quite-the-same service offerings. How do they differ?

Assigned Expert: Splunk’s Assigned Experts provide purely advisory services. SP6 provides advisory services and hands-on Splunk administration in your environment. 

Admin on Demand: Splunk’s Admin On Demand service is similar to technical support. When you open a ticket, you’ll be assigned a resource from a pool of admins who are unfamiliar with your environment. SP6, on the other hand, fosters customer intimacy by assigning all customers a primary and secondary SME. This allows us to deeply understand your environment and efficiently perform new tasks, and it’s the main driver of our high customer satisfaction scores. 

Other Splunk partners: Splunk has an ecosystem of partners, but SP6 was named the only 2023 AMER Professional Services Partner of the Year. Unlike other partners, we only hire senior, experienced Splunk experts with exceptional customer-facing capabilities.