>> Live from Orlando, Florida, it's theCUBE. Covering .conf18, brought to you by Splunk. >> Welcome back to Orlando everybody, home of Disney World, and this week, home of theCUBE. I'm Dave Vellante and he's Stu Miniman. Steven Hatch is here, he's the manager of Enterprise Logging Services at Cox Automotive. Steven, thanks for coming on theCUBE. >> Thank you. >> So, you've been with Splunk for a while, we're here at conf18. Logging services, enterprise logging services. When you think of Splunk, their roots, Splunk go back to, sort of, log files, analyzing log files, it's in your title. (laughs) You must be pretty intimately tied to, as a practitioner, to this capability, but talk about your role and what you do at Cox. >> Primarily, the role is to be the evangelist, the enabler, and the center of excellence when it comes down to getting those best practices propergated within the enterprise. >> So people come to you for advice, council, you play, sort of, internal consultant. What qualified you to do that? You were a practitioner prior to this, so you got your hands dirty and you kind of now, elevated to-- >> My prior role was a Site Operations, or Site Reliability Engineer, and then Manager. And so, having that background, I've been in IT since '96, so I'm a little old in the game, but basically, having that operational knowledge, and knowing how to think big picture when things are happening or transpiring, or the reverse and go back and find that root cause analysis. >> '96, just a pup, my friend, okay? (both laugh) So, talking to Stu, we were talking off camera, about the number of brands that Cox Automotive has, Cox at Kelley Blue Book and at numerous others, like dozens, each of these is kind of it's own data silo. How do you guys go about using Splunk? Are you able to break down some of those silos? Maybe you could share that with us. >> Yeah, so we have been successful on a lot of the big three really, at Kelley Blue Book, Manheim, as well as Auto Trader, to really break in. A lot of that was because of our, already previous, relationships with team members and leaders. On the other side of the coin is the newly acquired companies that are not in Atlanta, Georgia. That are in places like Groton, Connecticut, South Jordan, Utah, Upstate New York, as well as the Toronto area in Canada. And so, WebEx joined me, email just won't cut it. You actually have to sit down with these people and really showcase your business case, your model, and what you're trying to bring to the table. But of course, the approach is always important. >> And are you using Splunk to do that? As a collaboration tool as well? >> Yes sir, yep. >> Explain that a little bit if you would. >> So, a lot of times, as you mentioned, the silos, as a bigger brand now, it's no longer an excuse for you to only be responsible for your data and not showcase it, or share that data. Because we're thinking about the entire life-cycle of Cox Automotive, and this entity of Cox Automotive, that's important to us now. So for you to hold tight, or to hoard your data, or your metrics and not share them, that's not good business anymore. >> Yeah, so Steven, we talked to a lot of companies that do M&A, and it's usually like, well, this is the products we use, these are the structures that we have. One of the things we hear from Splunk is that you can get to your data, your way. How does the Splunk modeling, and how you look at the data, fit into that M&A? Is that an enabler for you to be able to get that in. >> Yeah, and so, when you can showcase the ability of how the data comes in and, quickly. Key word, right? To showcase how that data can be very valuable to them, especially to their stakeholders, that's when light bolts will go off. And, again, it's the stakeholders, and then champions, that we need to bring to the table to make sure that we can get full adoption. >> Yeah, we've also-- Dave's been to the show a few times, it's my first time, and what I've really heard a bunch of is the people that know how to use Splunk, they're super valuable inside of the company. They get training, people inside the company, they look to get hired, tell us a little about what you've seen, what it means to your role inside the company, and as you network with your peers here. >> It's a lot of exposure. A lot of people are very anxious to get some type of insights into their world, their infrastructure, their applications, their business tools. A lot of times, there are people out there that are very savvy from a business perspective, that have a bunch of KPIs in their head, but no one has actually extracted that information from them, and so, our job is to align with their KPIs. You know, over the last couple of years, that's what we've-- the journey that we've been on, is to now revisit the data that we've just ingested. That's the basic foundation. We want to elevate now and really get more mature, and to align with those business KPIs. >> Meaning they got this tribal knowledge in their head, and you want to codify that so that it can be shared. >> Correct. >> How do you go about doing that? Is it sitting in a whiteboard and understanding that? >> It can be a whiteboard, it can be over a coffee. If I need to get on a plane and go see them in person, and to really just listen and ask the questions when it's time but, again, listen and really understand what's important to them, what is important to their business, to their function, to their silos? Cox Automotive has five, of what we call, pillars, where there's international, finance, marketing, retail, or media, and each one of those owners, over time, wants the specific value. >> So if you go and have a chalkboard session, whiteboard session, with one of these folks, how do you operationalize it? You got to figure out where the data exists, so that you can align with what's in their head? Is that right? And then, how do you do that? How do you scale it? >> Well, so, again, you have to start from the top. If you start from the bottom, you'll be in the weeds until the end of time. So that the more efficient manner is to start from the top and realize those KPIs from those leaders, those stakeholders, and then from there, a tool like ITSI, which is basically built around services, entities, and aligning to their service decomposition model, and that right there allows you to stay consistent and efficient on getting that information. >> So you start top down, but ultimately, people are going to want granularity. So you start-- is it top down, bottom up, type of approach? Where you actually drill, drill, drill, drill, drill, and then get to the point where you can answer all those granule questions? And then, by doing that, if I understand it correctly, it sums to the top line, is that fair? >> Yeah, yeah, there's a point in time where you say, you know what? I could really now enhance or enrichen the data by a dataset that I know where it is. So the keypal will get you to a certain point, and then, to find that happy medium, or that common denominator from the data that you already have on premise, or from your apps, wherever they reside, that's where you can meet the gap. >> Otherwise you're never get it done. You'll end up boiling the ocean. >> That's correct, yes sir. >> All right, so, when we talked to you two years ago, you were using Splunk Cloud, you know? And when we talked to practitioners it's-- the things that they're managing, a lot of times now, most of it's not what they own, and so, how do I get the right information? How do I manage that environment? Talk to us a little bit about what you've seen in the maturation of Splunk and Splunk Cloud, if there's anything in 7.2, or Splunk Next, that's exciting you, to help you do your job even better. >> Oh man, so of course, the keynote today, the DSP, the processing layer that's in front of the Cloud, or in front of the indexes now. Where in real time, I can now route data, specifically from a security standpoint. If there's some type of event, without having to go through all the restarts and configuration management and everything else, I can simply put something in there, right there, and move the data, or mask the data. The ability with the infrastructure app, that's exciting to me, as well as all the feature updates for ITSI, enterprise security, as well as the Cloud itself. >> Can we do a little Splunk 101 for my benefit? So I heard today, from one of the product folks, that it used to be when you added another indexer, you had to add storage and compute simultaneously, whether or not you needed the storage, you had to add it, or vise versa. So an indexer is what, is it, essentially, a Splunk node? >> No, it can be a, basically, a Linux host, that actually has the agent running as an indexer with the attached disk. >> Right, okay, and it used to be you had to buy that in chunks, kind of like HCI, right? And you couldn't scale storage independent of compute? >> That's correct. >> What that meant is you were paying for stuff that you might not need. >> Right. >> So, with 7.2, I guess it is, you can split those and you get more granule, or what does that mean for you? >> Well, being a, now four year customer of Splunk Cloud, and anytime we went to the next version of, or license, the next step up, currently we're on about six terabytes. When we go up to eight, that the entailed more indexes being added to the cluster, which meant more time for the replication of search factors to be met, which can take however long, and then, or if there's any kind of issue with the indexer, where one had to be pulled out and another one introduced. How long does that take? Now, with the decoupling of the compute from the storage, it's minutes, and so it's a fraction of the time. >> And if I understand, I understood it real well when it's an appliance, but it's the same architecture if it's done in the Cloud, is that correct? >> It's, essentially, actually, it's a new architecture in my mind, where now it's able to scale more, and then there's-- I'm not sure how much they talked about it, but there's a potential of the elasticity of it. And so, now, I don't have to be so fixed, I can, on certain times, expand the cluster, you know, for search performance, or bring it back down when it's not needed. >> Some of the promise of Cloud. >> Yes, sir, Splunk Cloud. >> So it's like the Billy Dean, the five tool star. You've got the cost, you've got availability, you got speed, you got flexibility, and you've got business value, ultimately, which is what's driving here. So, I take it, I'm inferring here, you'd expect to use this capability in the near future? >> Very much so. >> Great. What else is on your horizon? What are the cool stuff you're working on? And things you want to share with us? >> Well, in addition to our leveraging Splunk Cloud for four years, next year we plan to move away from our current sim tool, into enterprise security. So it's very exciting to hear that they're continually updating that product, and so our security team has been knocking on my door for the last six months to really get that started. So, once we get there, we'll start the migration efforts and get Splunk Cloud now, enabled with the enterprise security, to really empower our security team, and stay ahead of our threats. >> So, I've been around a long time, and, ever since I can remember being in this business, customers have wanted to consolidate the number of vendors with whom they work. But the allure of best of breed always sucks them in to, oh, lets try this, or you get shadow IT. It sounds like, with Splunk, you're approaching this as a platform that you can use for a variety of different use cases. >> That is correct. >> Now, whether or not you reduce the number of vendors is, maybe a separate conversation, but I guess the question I have is, how are you using Splunk in new ways? It sounds like its permutating a line of business, SecOps, etc, is that an accurate picture? If you could describe it. >> Yeah, so Splunk itself, the core is the platform for so many different other functions within the business. You have security, you have the development group, DevOps, where, from a CICD perspective, now they can measure the metrics or the latency in between, when they create a car, say in rally, all the way to the very end of the line, what are all those metrics that are there, that they can leverage to increase their productivity? Obviously, infrastructure. As we consolidate all of our data centers down, wouldn't it be nice to know if these specific low bouncers or switchers are still having traffic to verse them? And to actually get a depiction of the consolidation effort. From a virtualization standpoint, isn't it powerful to know how many devices E6 hosts are actually fully being utilized, and how many are actually vacant? And how much money can be saved if we were actually to turn down those specifics blades or hosts? Or VMs that aren't being leveraged, but they're sitting there, taking up valuable resources. >> I remember when Splunk, right around the time they went public, I remember two instances, maybe three. There was a MPP database company, there was a large three letter firm, and there was an open-source specialist, and I heard the same thing from each of them, was we have the Splunk killer, this was like, five, six years ago. It seems like this Splunk killer was Splunk. And it really never happened. Why is it? Why is Splunk so effective? You obviously see, you know, you're independent, you want to use the best thing for Cox Automotive. What is it about Splunk that sets them apart, puts them in the lead? >> The scale capabilities, having this type of environment with the conferences and the sales group and the support groups, very intentional about listening. Having workshops where they come on premise to help us out on our use cases, to really educate their users, because the more their users are elevated from a knowledge standpoint, the more they will then exercise the application. If they all stay basic, why would I need another component of Splunk? Why would I need enterprise security? Why would I need to expand my subscription into the Cloud? The more I can exercise it, the more I'll need. >> So this is kind of a give, get. They come in knowing that if they expose you to other best practices, you'll going to be more effective in the use of Splunk and you might apply it in to other parts of your business. >> My appetite will grow and my users appetite will grow. >> And these are freebies that they're doing? Services freebies, or are they paid for services? >> Oh yeah, they have no problem coming in, supplying the necessary ammunition, or food, to entice, to have folks come in, but it's powerful to have all the engineers in there to really show us how things work. 'Cause, again, it's a win, win. >> And you're a football fan, I understand? >> Oh, yes, sir. >> Chiefs are your team, right? >> That's correct. >> Were you a football player? >> For a little while, yes. Now I coach, so that's my-- >> And you coach, what? >> Little girls. >> Kiddie football, huh, awesome. Is that Pop Warner these days, still? >> I guess you call it that. >> Flag football or tackle? >> Tackle football >> Really? >> Yep. >> Eight years old? >> Yes, my son is eight and he's playing full back right now, I'm very excited, happy father. >> Is he a big boy, like his dad? >> He's going to be bigger, I think, than his father, yes, sir. (both laugh) >> That's awesome. Well, listen, thanks very much, Steven, for coming on theCUBE, it's really a pleasure meeting you. >> That's appreciated, thank you very much. All right, keep it right there everybody. Stu and I will be back with our next guest. We're live from Splunk .conf18, you're watching theCUBE.