The number of Splunk Admins required at a company depends upon the volume of data being ingested.
It’s common in mid-sized companies to get by with no full-time Splunk Admin. Duties of managing the Splunk platform are typically only part of someone’s responsibilities, whether that be Systems Administration or Information Security.
As more data is ingested into Splunk, full-time attention is required. Splunk advises that for every 500 gig of data being ingested into Splunk, a company needs 1 ½ full-time Splunk Admins.
Case in point, Aditum recruited a Splunk Engineer out of a large software company ($3.3 billion in annual sales). The company was ingested 500 gig of data from 1,800 servers into Splunk on a daily basis. Splunk would advise that this requires 1 ½ full-time Splunk Admins. IT leadership at this Admin’s employer, however, did not see it that way and had this engineer stretched thin. The engineer was responsible for running the company’s NOC, administering Splunk, and was the primary tool administrator on two other mission-critical applications. His requests for additional help were denied, primarily because the company was laying people off and he was asked to simply do more and wear all of those hats.
Eventually, frustrated, that Splunk Admin left his employer. Ironically, and perhaps fittingly according to Splunk’s own guidance of hiring best practices, he was replaced with (2) Splunk Admins. His company “got it”, but only after losing a valuable resource that had been with the company for close to seven years and had an incredible amount of domain knowledge that walked out the door when he left the company.
When data ingestion increases above 500 GB, resourcing requirements increase. Splunk suggests both (1) Splunk Architect/Admin and (1) Splunk Administrator (each) when ingesting 500 GB to 1 terabyte of data, for an on premise deployment. An on premise deployment of over 1 terabyte of data ingestion would require 2+ Splunk engineers per every terabyte of data ingestion.
Splunk recommends that only 25% of these resourcing requirements would be required when using Splunk Cloud.
Aditum is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration and Splunk development. Aditum has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.