Splunk .conf18: Boss of the NOC Review

At Splunk .conf 2018, I was fortunate enough to have the opportunity to compete in the Boss of the NOC event with my peers.

This was our first time competing in one of these events, and quite frankly, we had no intention of winning when we decided to compete. However, with the prize of 2019 .conf passes on the line… the rest was history.

Why Boss of the NOC?

This was actually a source of debate between our team members. We were initially leaning towards competing in the Boss of the SOC event, since many of the Splunk use cases we leverage for our clients are security focused.

However, we ended up going with the NOC event for a few reasons, including:

• New Tools: We wanted to increase our experience with some of Splunk’s newer offerings, such as VictorOps, which was part of the event this year.
• Team Experience: Both Tim and myself are recovering network administrators, and figured some of this knowledge might come in handy.
• Splunk Experience: We support clients in numerous verticals, who use Splunk for both security and operations use cases. For us, the product is a tool to solve any number of problems we might face – problems that we may not know the answer to until we dig into the data.

Event Experience

We found the event to be a realistic representation of the work that we do on a daily basis. For instance, many of the questions were quite vague. Customers don’t always know exactly what they want, or what data they have to support a given use case. We’re often tasked with solving a problem by figuring out a solution based on what the client has available.

As a Managed Security Services Provider, we are constantly required to adapt to different client environments, switching between data sources and Splunk deployments multiple times every day. So, handling a new and unknown Splunk environment was not a foreign concept to us.

Solid Teamwork

One of our biggest strengths during the competition was our ability to work as a team. Both Mark and Tim are part of our Splunk implementation team, which also backs up our support engineers as a senior escalation level.

Steve and I are part of our management team, but we’re never far from having our hands on the technology, solving problems, or helping design new service offerings and process improvements.

Similar to our normal day-to-day operations, we were able to work on problems during the event both independently as well as involving other team members as needed, and playing to each other’s strengths. If anyone got stuck on a question, we’d pass it to another team member and move on. Additionally, to avoid losing points, we’d seek a second opinion on possible answers when practical to ensure that we were on the right track.

Handling Distractions

Within the first hour of the event, we were told that we had a commanding lead in the competition, with nearly twice as many points as the next closest team. When we first heard this news, we thought members of the event staff were trolling us and continued working on the questions.

Eventually, we did check the scoreboard and realized they weren’t trolling. A few hours in, we realized there was a very real possibility that we could win the event, provided we didn’t follow in the footsteps of all too many Cleveland sports teams (insert your own video of the drive, the fumble, the shot, etc. here).

Lucky for us, Hurricane Labs’ Sales Engineer Matt Yonchak stopped by to give us the positive reinforcement we needed…

Even though we held the lead for most of the event, it didn’t mean that the competition staff was easy on us. We were constantly getting questions from other Splunkers, some that were related to the event, others that were clearly efforts to throw us off our game.

Fortunately, facing distractions isn’t a foreign concept to us: whether it’s fellow co-workers needing assistance, solving a client problem, or ducking from an incoming barrage of Nerf rounds, we’re quite comfortable handling changes in stride.

A special shoutout to Kelsey for convincing at least 8 people she was doing the entire event from her phone (spoiler alert, she wasn’t. Also, don’t try to compete from an iPad either, it’s a terrible idea. We tried, and it was an utter failure. Trust us.)

In Summary

We’d like to thank everyone involved on the Splunk team for putting this event together. We think it was an awesome competition and a very realistic challenge, and are looking forward to competing again in the future.

For those of you looking to get up to speed with Splunk, we’d encourage you to give a future BOTN (or BOTS) event a shot – who knows, you could be facing off against us next October.

We’re looking forward to seeing everyone again at .conf 2019 in Las Vegas!