Faster Time To Value With Splunk IT Service Intelligence Service Sandbox

Whether you’re new to Splunk IT Service Intelligence (ITSI) or trying to build out more services within your existing ITSI environment, it can feel overwhelming to get started. Previously, you were limited to relying heavily on experts on your team to sit down with you in front of a white board or spreadsheet to draw out what your services and its dependencies could look like. With the release of Splunk ITSI 4.19, we’re excited to introduce the Splunk ITSI service sandbox.

Splunk ITSI Service sandbox enables users to map services directly in the UI, reducing service decomposition time. In a pre-production, sandbox environment, you can add, manage, and edit services, link service dependencies, and share with dependent teams prior to publishing to ITSI Service Analyzer. This sandbox environment allows teams to experiment and ensure services won’t break, before they’re in production.

Getting Started With ITSI Service Sandbox

To access your service sandboxes, simply navigate to Configuration > Service Monitoring > Service Sandboxes. 

Once you've clicked on the "Service Sandboxes" section, you may navigate an organized list showcasing all the sandboxes you or your team have previously created. To kick off a new sandbox, look for the 'Create service sandbox' on the bottom right. Click the button to configure a new sandbox environment. 

Next, set the name and description of your new sandbox, click Create, then choose the sandbox you just created from the list.

Create or Import Content

Here, you have a few options:

• Create a new service - Choose this if you’re testing out some services, but not ready to link a service template or dependencies.
• Create from a service template - Choose this option if you have existing service templates you’d like to use to map out your service tree. This option is preferred if you want to simulate your sandbox health score with entity filtering rules and KPIs.
• Import from CSV - Choose this option if you worked with a Splunk professional services resource, services partner, or have an existing service decomposition CSV export.

After choosing your preferred option, follow the steps to develop your service trees.

Set up Your Service Tree

When setting up your service tree, it is important to simulate the service health score to get a better idea of how the child services impact the parent service. Doing this simulation prior to publishing to Service Analyzer helps you catch potential issues and adjust appropriately.

Now that you’ve built out your service trees, added service templates with KPIs and entity rules, simulated your health scores and are satisfied with the result, you can save your work as a draft. At this point, you can either walk over to your nearest team member and share your draft, or publish. 

Pre-Publish Validation

Whenever deciding to save progress in a sandbox, you may select the ‘Save as Draft’ button. This involves the sandbox conducting a comprehensive list of validation steps that scrutinizes your data and configurations, ensuring no errors exist that could disrupt services in production. Let's take a closer look: 

1. Scan for Errors: When you save, the system scans for any missing data, coding errors, and configuration issues that may affect performance or the sandbox outcome. 
2. Check Compatibility: The system verifies that all components in the sandbox are compatible, fully functional, and available with the rest of your production environment. 
3. Performance: The system validates that all configurations meet the required efficiency standards without straining resources. 

After completing the save draft step, but before publishing, the system undergoes another series of checks. The double layer of validation serves as a failsafe and gives users a chance to review potential issues before the final version goes live:

1. Revisit Errors: The review revisits all previous checks to catch any errors possibly overlooked. 
2. Check Permissions: Permissions are viewed to ensure only authorized users can make final changes for publishing. 
3. Final Resource Capacity: The capacity of resources are checked to ensure publishing doesn't cause unnecessary strain.

By incorporating these validation steps, service sandbox helps reduce the risk of publishing issues to production and thereby enhance service setup.

Oops! But What if I Notice a Mistake After Publishing?

After you hit publish, you will have access to your services in Service Analyzer. But wait! What if you notice a potential issue after publishing? Don’t fret - we’ve accounted for the “oopsie” that might arise. Simply navigate back to your Service sandbox, click reset, and revert the sandbox. This will remove the services from Service Analyzer, put it back into your sandbox, and allow you to make edits as needed before publishing again.

Permissions and Availability

In this version of the ITSI Service sandbox, two main ITSI roles will have some level of access:

• itoa_admin: Create services, publish services to Service Analyzer, reset and revert services from Service Analyzer back into service sandbox
• Itoa_team_admin: Create services, save as draft, read only permission once a sandbox has published to Service Analyzer

This feature is currently available starting with IT Service Intelligence 4.19 for both Splunk Enterprise and Splunk Cloud Platform customers. 

With the ITSI Service sandbox, you can now leverage the feature during your service decomposition process. What previously took a significant amount of time even while working with professional services resources, will now decrease. We look forward to hearing your feedback as we continue to improve service onboarding, decomposition, and getting started with Splunk products. Do not hesitate to reach out to your Splunk account team for additional feedback and support. For more detailed step-by-step instructions on how to set up your service sandboxes and additional granular capabilities, please refer to Splunk Docs.

Follow all the conversations coming out of #splunkconf24!

Follow @splunk