 Live from Orlando, Florida, it's theCUBE, covered.conf18, brought to you by Splunk. Welcome back to Orlando, everybody, home of Disney World, and this week, home of theCUBE. I'm Dave Vellante, and he's Stu Miniman. Stephen Hatch is here, he's the manager of Enterprise Logging Services at Cox Automotive. Stephen, thanks for coming on theCUBE. Thank you. So, you've been with Splunk for a while. We're here at Conf18, Logging Services, Enterprise Logging Services. When you think of Splunk, the roots, Splunk go back to sort of log files, analyzing log files, it's in your title. Yes. Essentially. You must be pretty intimately tied to, as a practitioner to this capability, but talk about your role and what you do at Cox. Primarily, the role is to be the evangelist, the enabler, and the center of excellence when it comes down to getting those best practices propagated within the enterprise. So, people come to you for advice, counsel, you play sort of internal consultant. What qualified you to do that? You were a practitioner prior to this, so you got your hands dirty, and you kind of now elevated to. My prior role was a site operations or site reliability engineer and then manager, and so having that background, I've been in IT since 96, so I'm a little old in the game, but basically having that operational knowledge, and knowing how to think big picture when things are happening or transpiring, or to reverse and go back and find that root cause analysis. 96, just to pop, my friend, okay? So, talk a little, Stu, we were talking off camera about the number of brands that Cox Automotive has, Cox and Kelly Blue Book and numerous others, I mean, dozens. Each of these is kind of its own data silo. How do you guys go about using Splunk? Are you able to break down some of those silos? Maybe you could share that with us. Yeah, so we have been successful on a lot of the big three really, the Kelly Blue Book, Mannheim, as well as AutoTrader, to really break in. A lot of that was because of our already previous relationships with team members and leaders. On the other side of the coin is the newly acquired companies that are not in Atlanta, Georgia, that are in places like Groton, Connecticut, South Jordan, Utah, upstate New York, as well as the Toronto area in Canada. And so, WebEx, join me, email just won't cut it. You actually have to sit down with these people and really showcase your business case, your model, and what you're trying to bring to the table. But of course, the approach is always important. And you're using Splunk to do that as a collaboration tool as well? Yes, sir, yep. Explain that a little bit. So, a lot of times, as you mentioned, the silos, you know, as a bigger brand now, it's no longer an excuse for you to only be responsible for your data and not showcase it or share that data. Because we're thinking about the entire lifecycle, COXSIDOMotive, and this entity of COXSIDOMotive, that's important to us now. So for you to hold tight or to hoard your data or your metrics and not share them, that's not good business anymore. Yeah, so Stephen, you know, we've talked to a lot of companies that do M&A and it's usually like, well, this is the products we use, these are the structures that we have. One of the things we hear from Splunk is that you can get to, you know, your data your way. Maybe, how does the kind of Splunk modeling and how you look at data fit into that M&A? Is that an enabler for you to be able to get that in? Yeah, and so when you can showcase the ability of how the data comes in and quickly, that's the key word, right? To showcase how that data can be very valuable to them, especially to their stakeholders. That's when light bulbs will go off. And again, it's the stakeholders and then champions that we need to bring to the table to make sure that we can get full adoption. Yeah, we've also, you know, Dave's been to the show a few times, it's my first time and what I've really heard a bunch of is the people that know how to use Splunk, they're super valuable, that valuable inside the company. We've heard people, you know, they get training, people inside the company, they look to get hired. Tell us a little bit about what you've seen, what it means to your role inside the company and as you network with your peers here. It's a lot of exposure. A lot of people are very anxious to get some type of insights into their world, their infrastructure, their applications, their business tools. A lot of times there are people out there that are very savvy from a business perspective that have a bunch of KPIs in their head but no one has actually extracted that information from them. And so our job is to align with their KPIs. You know, over the last couple of years, that's what the journey that we've been on is to now revisit the data that we just ingested. You know, that's the basic foundation. We want to elevate now and really get more mature and to align with those business KPIs. Meaning they have this tribal knowledge in their head. Yes, sir. And you want to codify that so that it can be shared. Correct. Go about doing that. Is it sitting on a whiteboard and understanding that? It can be a whiteboard. It can be over a coffee. If I need to get on a plane and go see them in person and to really just listen and ask the questions when it's time. But again, listen and really understand what's important to them. What is important to their business, to their function, to their silos. CoxIberMotive has five, what we call pillars, whether it's international finance, marketing, retail, or media, and each one of those owners, over time, wants the specific value. So if you go and have a chalkboard session, whiteboard session with one of these folks, how do you operationalize it? You got to figure out where the data exists so that you can align with what's in their head. Is that right? And then how do you do that? How do you scale it? Well, so again, you have to start from the top. If you start from the bottom, you'll be in the weeds until the end of time so the more efficient manner is to start from the top and realize those KPIs from those leaders, those stakeholders. And then from there, tool like ITSI, which is basically built around services and entities and aligning to their service decomposition model. And that right there allows you to stay consistent and efficient on getting that information. So you start top down. Yes, sir. But ultimately, people are going to want granularity. So you start, so as a top down, bottom up type of approach where you actually drill, drill, drill, drill, drill and then get to the point where you can answer all those granular questions. And then by doing that, if I understand it correctly, you know it sums to the top line. Is that fair? Yeah, yeah. There's a point in time where you say, you know what, I could really now enhance or enrich the data by a dataset that I know where it is. So the key path will get you to a certain point and then define that happy medium or that common denominator from the data that you already have on premise or from your apps, wherever they reside, that's where you can meet the gap. Otherwise you'll never get it done. You'll just end up boiling the ocean. Yes, sir. All right, so when we talked to you two years ago, you were using Splunk Cloud. When we talked to practitioners, it's the things that they're managing. A lot of times now, most of it's not what they own. So how do I get the right information? How do I manage that environment? Talk to us a little bit about what you've seen on the maturation of Splunk Cloud. If there's anything in 7.2 or Splunk Next, that's exciting you to help you do your job even better. Oh man, so of course the key note today, the DSP, the processing layer that's in front of the cloud or in front of the indexers now, where in real time I can now route data specifically from a security standpoint. If there's some type of event, I can, without having to go through all the restarts and configuration management and everything else, I can simply put something in there right there and move the data or mask the data. The ability with the infrastructure app, that's exciting to me, as well as all the feature updates for ITSI, enterprise security, as well as the cloud itself. Can we do a little Splunk 101 for my benefit? So I heard today from one of the product folks that it used to be when you added another indexer, you had to add storage and compute simultaneously, so whether or not you needed the storage, you had to add it or vice versa. So an indexer is what, is it essentially a Splunk node? It's a Splunk node, it can be basically a Linux host that actually has the agent running as an indexer with the attached disk. Right, okay, and it used to be you had to buy that in chunks kind of like HCI, right? And you couldn't scale storage independent of compute. That's correct. And what that meant is you were paying for stuff that you might not need. Correct. So with 7.2, I guess it is, you can split those and you get more granular. What does that mean for you? Well, being a now four year customer of Splunk cloud and anytime we went to the next version of our, or licensed the next step up, currently we're on about six terabytes when we go up to eight, that then entailed more indexers being added to the cluster, which meant more time for the replication and search factors to be met, which can take however long and then, or if there is any kind of issue with the indexer where one had to be pulled out and another one introduced, how long does that take? Now, with the decoupling of the compute from the storage, it's minutes. And so it's a fraction of the time. If I understand, because that, I understood it real well in an appliance, but it's the same architecture if it's done in the cloud. Is that correct? Essentially, actually it's a new architecture in my mind where now it's able to scale more and then there's, I'm not sure how much they talked about, but there's a potential of the elasticity of it. And so now I don't have to be so fixed. I can on certain times expand the cluster for search performance or bring it back down when it's not needed. Yeah, some of the promise of cloud. Yes, sir. Splunk cloud. It's like the Billy Bean, the five tool star. You got cost, you got availability, you got speed, you got flexibility and you got business value ultimately, which is what's driving here. So I take, I'm inferring you'd expect to use this capability in the near future. Very much so. Great. What else is on your horizon? What are the cool stuff you're working on and since you want to share with us? In addition to our leveraging Splunk cloud for four years, next year we plan to move away from our current SIM tool into enterprise security. So it's very exciting to hear the continually updating that product. And so our security team has been knocking on my door for the last six months to really get that started. So once we get there, we'll start the migration efforts and get Splunk cloud now enabled with the enterprise security to really empower our security team and stay ahead of our threats. So I've been around a long time and ever since I can remember being in this business, customers have wanted to consolidate the number of vendors with whom they work. But the allure of best of breed always sucks them into, oh, let's try this, you get shadow IT. It sounds like with Splunk, you're approaching this as a platform that you can use for a variety of different use cases. That is correct. Now whether or not you reduce the number of vendors is maybe a separate conversation. But I guess the question I have is, how are you using Splunk in new ways? It sounds like it's permeating the line of business. SecOps, et cetera, is that an accurate picture if you could describe? Yeah, so Splunk itself, the core is the platform for so many different other functions within the business. You have security. You have the development group DevOps where from a CI CD perspective, now they can measure the metrics or the latency in between when they create a car, say in rally, all the way to the very end of the line. What are all those metrics that are there that they can leverage to increase their productivity? Obviously infrastructure. As we consolidate all of our data centers down, wouldn't it be nice to know if the specific low balancers or switches are still having traffic traverse them and to actually get a depiction of the consolidation effort? From a virtualization standpoint, isn't it powerful to know how many devices ESX hosts are actually fully being utilized and how many are actually vacant and how much money can be saved if we were actually to turn down those specific blades or hosts or VMs that aren't being leveraged but they're sitting there, taking up valuable resources? I remember when Splunk, right around the time they went public, I remember two instances, maybe three, there was a MPP database company, there was a large three letter firm and there was a kind of an open source specialist. And I heard the same thing from each of them was we have the Splunk killer. This is like five, six years ago. It seems like the Splunk killer was Splunk. And it never really happened. Why is it? Why is Splunk so effective? You obviously see, you're independent. You want to use the best thing for Cox Automotive. That's correct. What is it about Splunk that sets them apart, puts them in the lead? The scale capabilities, having this type of environment, what the conference is and the sales group and the support groups, very intentional about listening, having workshops where they come on premise to help us out on our use cases to really educate their users because the more their users are elevated from a knowledge standpoint, the more they will then exercise the application. If they all stay basic, why would I need another component of Splunk? Why would I need enterprise security? Why would I need to expand my subscription into the cloud? The more I can exercise it, the more I'll need. So it's kind of a give-get. They come in knowing that if they expose you to other best practices, you're going to be more effective in the use of Splunk and you might apply it into other parts of your business. My appetite will grow. My user's appetite will grow. And these are freebies that they're doing? Service is freebies or are they paid for services? They have no problem coming in, supplying the necessary ammunition or food to entice, to have folks come in. But it's powerful to have all the engineers in there to really show us how things work. Because again, it's a win-win. And you're a football fan, I understand. Yes, sir. Chiefs of your team, right? That's correct. Were you a football player? For a little while, yes. Now I coach, yeah, so that's my... You coach? Oh, what? Eight year olds. Kitty football? Oh, awesome. Is that Pop Warner these days still or is it like that? Flag football or tackle? Tackle football. Really? Yep. Yes, my son is eight and he's playing fullback right now. I'm very excited. Happy father. See, is he a big boy like his dad? He's going to be bigger than I think, than his father. Yeah. Yes, sir. That's awesome. Well, listen, thanks very much, Stephen, for coming on theCUBE. It was really a pleasure meeting you. Appreciate it. Thank you very much. Yes, sir. All right, keep it right there, everybody. Stu and I will be back with our next guest. We're live from SplunkConf 18. You're watching theCUBE.