Operating Tomatoes: Defining a Target Operating Model for Splunk (ToM)
Author: Ben Marrable
Release Date: 29/06/21
Let’s first define what a target operating model is. From wikipedia a target operating model is defined as:
“Target operating model is a description of the desired state of the operating model of an organisation. When working on the operating model, it is normal to define the “as is” model and the “to be” model. The target operating model is the “to be” model. It is possible to produce a target operating model for a business or a function within a business or a government department or a charity.”
To expand on that with the definition of an operating model:
“An operating model is both an abstract and visual representation (model) of how an organization delivers value to its customers or beneficiaries as well as how an organization actually runs itself.”
From these definitions and when applying them to a technology such as Splunk, we can deduce the definition of a Splunk Target Operating Model as being:
“The Splunk Target Operating Model (ToM) is an abstract and visual representation of the desired state of the Splunk technology within the organisation, defining the operating procedures of Splunk with the aim of delivering the maximum value to the business”
When you read it like that, it’s quite clear how important it is to define a target operating model and run the Splunk technology as closely aligned to it as possible.
I’ve been writing ToM’s for many customers now and each one is different, but they all share the same standard concepts for the technology. Three of these concepts we look at as the pillars of Splunk, these pillars work as the foundations from which to grow and run the solution. The three technical pillars are Role Based Access Control Design, Index Design and Application design. Without any one of these, the further concepts known as Frameworks will not be viable, it is therefore imperative that we get these correct.
Once the pillars are defined, the next step is to define the frameworks to allow for a sustainable and scalable Splunk technology. These frameworks cover the running of the technology using latest recommended practices, highlighting minimum levels of skills required, architectural requirements, governance levels, operating teams and operating processes.
The image above covers possibilities for these frameworks, but as I said before each operating model needs to be tailored to you and the requirements of the Splunk technology for your business.