 Live from Washington, D.C., it's theCUBE. Covering .conf 2017, brought to you by Splunk. Welcome back. Here on theCUBE, along with Dave Vellante, I am John Walls for live at .conf 2017. As Splunk continues with day two of its get together here in the nation's capital, Washington, D.C., home game for me. I love it. Dave's up the road in Boston, so yeah, he had to hit the road a little bit, but not as bad as it can be sometimes for you. I'll take D.C. over Vegas. Sorry, Vegas. Yeah, but you travel a lot, man. You're on the road. Chris Kurtz travels a lot, too. He's come with us from Arizona State University. He's a systems architect out there. Chris, always good to see you. We had a chance to visit last year for the first time. A member of the Splunk Trust. And in general, with a quite a diverse background. I mean, he supported Mars missions as part of the Mars mission facility in Phoenix. Working now, as you said, at Arizona State. But also the trust. Let's talk about that a little bit because there was some conversation yesterday from the keynote stage about expanding that group. Absolutely. Adding 14 new members and for a lot of people at home who might not be familiar with the Splunk Trust, talk about the concept and how you put it into practice. Absolutely. So the Splunk Trust is the organization that Splunk set up as a community leader, community activist. Our kind of watch word is that we're not the smartest people in the room, but we'll be the most helpful. And so our purpose is- I'm not sure about that first part too, by the way. I think you might be short changing yourself. So our organization's purpose is we act as members of the community to help direct community people who have issues and help them internally, or excuse me externally, but also to help Splunk and what direction they should go. Hey, we see this pain point from a lot of the customers. This is something that maybe that's functioned concentrate on. We're often given access to betas or even earlier or even potential products is how should we build this? Is this something that you would use? Is this something that you would like? Table data sets was a feature that I worked on for a year that was released last year. Is this something that you'd use? Is this something that you want? And sometimes users fall through the cracks in the support system and they don't know how to get support help or they don't know where to get directed. And we can volunteer and say, show them where the Splunk Answers group is very powerful. There's an app for that. We can show them Splunk base and help them when those things fall through the cracks. So we provide community enrichment and support, but we're not an official representative of Splunk, even though we're appointed by Splunk on a year-to-year basis. And aren't that many of you, right? No, there's total 42 this time. And you serve for a year and it can be renewed each year you reapply or you can be volunteered. Somebody else can nominate you. It can nominate for us. And there's no guarantee. We, the members of the trust vote and then that goes to Splunk and Splunk makes the final decision. Some companies allow that, some don't. It depends. ASU is very generous and lets me participate and give them my time to the organization. And I said ASU, Arizona State University. I never fully introduced that. What do you have to do to qualify and what's the hurdle? So be the most helpful person in the room. That's what you need to do to qualify. So you need to be a partner, you can't work for Splunk. You have to be a partner or a customer and you need to give to the community in some way. So you need to give back to the community of your, you participate on Answers which is the online kind of self-support forum. You need to speak in the community, maybe run a user group. A lot of us do run the user groups. I run the user group in Arizona. And you need to be respected amongst the community and people go, I want to go to them. They'll help me or at least get me to the right person. Is it predominantly or exclusively technical practitioners or not necessarily? This year they divided us into kind of organizational units. So there's architects and practitioner and developer. So we're all technical. But this year we're going to have the ability to focus a little more on a specific area. What do you do for a living? What do you do with Splunk? Do you architect a Splunk internally? Do you just provide Splunk practice? Are you a Splunk developer that makes apps? You know, how do you use Splunk on a daily basis? And again, there are partners as well. So a plur and defense point, I think are both tied with four members of peace. So that's one of those things that, you know, they're going out to individual customers and helping them every day. So it's really taking this notion of a customer advisory board to a whole, another level. I mean, it's not a passive, you know, group of people that maybe meets once a year. It's an ongoing, active, organic institution, essentially. Absolutely. We have quarterly meetings online and at those meetings, a different Splunk, sometimes executives, sometimes product managers or engineering managers, you know, come and speak to us and it can be anything from, hey, we're developing this internal product and are we interested? You know, is that useful to you or what enhancements do you feel the product need or, you know, this is a new feature we're working on to, you know, look and feel? You know, I was asked where, I was consulted about the COMPF logo. Hey, Chris, you're an average customer. Which of these four logos do you think really, you know, kind of helps set the mood? And, you know, did they take my advice? Does it really matter? No, but they were willing to just, I'm not associated, I'm not in the bowels. So this isn't your logo over here that you didn't? That is actually the one I chose. Oh, excellent. Yeah, I would assume so. All right. Who organizes the quarterly meetings? So the quarterly meetings are organized by Splunk in the community. There's a community group that's underneath Brian Goldfarb, who's the chief marketing officer. And so he organizes the quarterly meetings, he gets to herd all the cats, because we're all across the world. You know, you have to figure out a time zone, you have to figure out where, you have to figure out when. But most of the time there's some suggestions. Hey, you know, the engineering manager for Section X would like to speak or, but sometimes it's like, yeah, we would like to talk to the person in charge of search side clustering, for example. We'd like to, you know, we have some, we see some pain points in the community or something like that. So it's wide ranging. But, you know, we can, we're not just a group to rubber stamp anything that Splunk does, but we're also not a group to just sit there and complain about things we don't like. It's really very much a give and take. Splunk is generous and open enough to give us that access, and we take that very seriously, to be able to help guide Splunk into making their product the best it can be. And it's an amazing product. I'm an evangelist have been for, since I started using it, but also to, you know, to help the customers. If the customers are having a pain point, we're probably going to hear about that first. When did you start using? I've been using Splunk for about five years. And when I started using Splunk at ASU, it had been a 50 gigabyte license and they had just bought another 100 gigabytes. And it needed, it needed reworking. It needed architecting. So when I came in, our chief information security officer and our VP for operations are the ones who directed me. And I said, what do you want to grow for? And they said architect it for a terabyte, assume it's going to take us several years to get there. So I rebuilt the current environment and we architected for a terabyte. And here we are, four and a half, five years later, we're at a terabyte and we're still growing. And we're looking at cloud, you know, we're looking at other use cases. And I think the biggest shift for us and we talked about this briefly last year is that I work for John Roem, who's the deputy CIO for Arizona State. And he is in charge of business intelligence and analytics. So it is an enterprise application for data at ASU. It is not part of the security office. It's not part of operations. It's not part of dev. Those are all customers. And so internally, those are customers. And I think that's an amazing opportunity to say that those are customers of mine and I'm not beholden to building the system so it's only useful for security or building it so it's only useful for operations. They're my customers and we avoid any appearance of, oh, I don't want to put my data in a security product. I don't want to put my data in an operations product. Nobody questions putting their data in the data warehouse. That's the appropriate place for the data to go. So that's the beauty of the system that we've developed is they're both customers of mine. All right, so let's talk about your work at Arizona State a little bit. I don't know the size now, I'm trying to think of. I mean, huge. We're the largest single university in the United States. Probably what, 60, 70,000? Total enrollments 104 or 110,000. A lot of that's online. I think we have about 70,000 or more at the main campus. But we're the single largest university in the U.S. There are groups like University of California that's larger overall but not single institutions. So, you know, obviously. Passive. What, where are you now then? What have you been using Splunk 4 that maybe you weren't last year when you and I had a chance to visit? So we started using it as a security product. It was brought in to make security more agile and getting that information from the operations and the networking groups. Firewalls was the first thing we were brought in for. Now we're starting to look at other use cases. We're starting to look at edge cases. We're using it for academic integrity. So the very beginnings of that we're looking at if a student is taking a test. Are they the person taking the test? We're looking at to make sure that students' accounts are safe and not compromised. We're looking at rolling out a multi-factor to the university and being able to protect that. And we're taking a lot of those functions and pushing them down to our help desk. So the help desk has all of the tools they need to be able to support the student and take care of their issue on the first call. That's really important. We have an amazing help desk organization, amazing care organization. And that's the goal is, doesn't matter how long the call takes, you do that on the first call. And Splunk is a key portion of that to be able to provide them the right information. So they don't have to go try to get somebody from network engineering to solve the student's problem. They can see what the problem is at the beginning. Academic integrity, explain that. Yeah, so I don't think that there's any student who doesn't want to do their own work and do the best possible thing they can. But sometimes students get in a position where they need some help and maybe that isn't always exactly what they should do. So you need to make sure that the student is taking the test that they're signed up for, that they didn't have any assistance, especially in online classes. We need to keep our degree important and valid and obviously none of our students want to. Occasionally you find somebody who hasn't done exactly what they're supposed to and we need to be able to validate that. So we need to be able to validate that someone did what they said they did, it's just like nobody wants to plagiarize, but occasionally it does happen and we need to protect ourselves and protect the students. And you can do that with data, you can ensure that academic integrity. How, can you explain that a little bit? So a little bit, yeah. So we look at where the student logs in from, if they log in routinely from Tempe, Arizona and then suddenly there's a login from someplace else. Oftentimes that has nothing to do with academic integrity that has to do with that there's a count compromised. We need to protect the students' personal information, both HIPAA and FERPA. We need to protect their privacy information just generally available, PII. So we look at when they logged in, where they logged in, how they logged in, how two factor worked. And I think academic integrity is really a much smaller portion of it. I think the more thing is we need to protect those students. So we look at how they logged in, when they logged in, what type of machine they logged in from. If you're using a surface and you've been using a surface to log in for months and then all of a sudden you log in from an iPhone, you might have gotten a new iPhone, but you know, you might not have. And so we put all those pieces of information, all those logs together to build a case that do we need to reset this user's password for safety? But I think academic integrity is important from the brand as well, because the consumers of your students, the employers out there, they may be leery of online courses. So to the extent that you can say, hey, we've got this covered, we actually can ensure that academic integrity through data, that enhances the value of the degree and the ASU brand. Absolutely, and I don't think any student wants to do anything that they're not supposed to. It does happen, you know. But even if it's one, right? Or even if it's the perception of the employer, that it can happen. The possibility. Yeah, and I think that's a really good point is that we need to protect that brand and we need to protect the students. You know, in protecting students is the number one thing. Protecting employees is the number one thing. Everything else falls from that. Yeah, right. Okay. What about other student behaviors? I mean, as far as trafficking around campus, maybe food consumption, dorm living, I mean, all these kinds of things that, with sensors and what have it, you could extract reams of data. We're doing a lot of that. We're partnering with Amazon to look at the Amazon Echo and using them in dorms to provide them a voice interface. You know, Echo, where is my next class? Or, you know, what time does the Memorial Union open or how late can I get a pizza? And that type of thing. And we want to build an environment that's not only fun for the students, but very powerful and uses the latest technology. Pricing. Well, let's talk pricing. Right, I dig for, you know, the one little wart and splunk. It's hard to find. But I've heard some chirping about pricing because pricing is a function of the volume of data. The data curve is growing, it's reshaping. What are your thoughts? What do you tell Splunk about pricing? Yeah, so a lot of people say, man, Splunk is expensive. And I don't think Splunk is expensive. When you, once you've achieved a volume, it's got a good pricing structure. I think that anything that Splunk tries to do to change the pricing model is a bad direction. So you like it the way it is? I like it the way it is. I believe that we've made an investment in a perpetual license product. And I certainly don't think that what we're spending on it for maintenance year is a bad thing. And I think that we get a good value for the product and we're going to continue to use it, you know, for years to come. I've always felt like that your price is too high. It's never been a deal breaker for software companies. They've generally navigated through that criticism and it's been ultimately, you know, an indicator of success more than anything else. But your point is if the value's there, you'll pay for it. Are you able to find ways to save money using Splunk that essentially pay for that premium? Absolutely. So one of the very first things we did with Splunk is we looked at our employee direct deposit. We talked about this briefly last year. We looked at employee direct deposit and we were being targeted by a Malaysian hacking group who was using phishing emails to fish credentials from us. You know, you send an email that looks very much like a university login and says you need to log in and change your password or you're not going to be able to work in an hour. A lot of employees, especially employees in areas that aren't high tech in the psychology department, they may fill in that information and then the hackers log in and change their direct deposit. And then the university ends up paying the employee again and eating those costs. So our original use case was on the fly. We saved $30,000 in a single payroll run. Pretty easy to pay for Splunk when you do that. And so that was our very original use case and that came from just looking at the data. Is this useful? Where are these people logging in from? There's a change, you know? And I think that that's very important. And the thing I love about Splunk is because it's schema on demand, because there's no hard schema, is that it's use case on demand, is that every single good use case in the very beginning was standing around the water cooler having a drink and saying, I wonder if we combine data set A and we combine data set B. We come up with something that nobody was asking about and now we see something that we can help fix, we can help grow, we can make more efficient and to the question of how you deal with all that data is you tune, you decide what data is important, you decide what data is unimportant, you clean up the logs that you don't care about and we spent a year, we didn't buy Splunk for one year, we didn't buy a new license, we didn't buy an expansion license because we took a year to compact and say, okay, all the data we're getting from this firewall, is that all necessary? Is there anything redundant? Does it have redundant dates? Does it have redundant timestamps, et cetera? And pull that information out and it'll just give us a little bit of breathing room and then we're going to turn around and take another chunk. Help. No schema on right, sounds geeky, but it's profound. But you mentioned the word help again, big word, key word, Chris Kurtz, one of the most helpful guys in the community of Splunk. Thank you very much. Thanks for being with us, Chris Kurtz. Back with more, David and I are going to take a short break, about a half hour, we'll continue our coverage here live at .conf2017.