Index Management Dashboards for Cox Automotive
Customer: Cox Automotive
Industry: Professional Services
Business Pain: Cox Auto Incorporated (CAI) was exceeding their licensed ingestion volume for Splunk, indexing over 10TB of data from an 8TBb license. Getting ingestion below the licensed volume was a priority. A large part of that effort was finding debug data, tracking it, and reporting its details so the different teams could know to turn off debug. This was one of the tasks assigned to TekStream.
Cooperation with different SME’s was difficult, as many wanted to keep debug-level logging enabled. Despite being presented with the license violations, there wasn’t a willingness to reduce logging levels. Escalation to management was required to get the process of reducing indexing started.
How we fixed it: TekStream built searches for each BU that found debug data through regex matching, calculated the volume in GB, divided the volume by metadata fields, and summarized the final table. These searches gave visibility into the biggest BUs on the CAI Cloud environment and were used to create dashboards for further reporting.
Dashboards went through extensive review by leadership and team members to ensure clarity and ease of adoption. The dashboard included different methods of partitioning the data (i.e. by source and host) along with other functionalities like a dollar amount conversion and volume trend. CAI’s Splunk team was told how to maintain the searches and dashboards in the future.
Given the fluctuating volume of debug data, CAI could see an estimated $200,000 in savings from implementing controls on debug data highlighted by these dashboards.