Select your country

Not finding what you are looking for, select your country from our regional selector:


kvinna tittar på data

Automate every aspect of Splunk Enterprise and beyond

Does your organization rely on Splunk Enterprise to keep your organization securely up and running?

Splunk is a powerful platform that can help answer any type of data question. But as with all technology investments, the amount of value it may bring is dictated by the use cases it can fulfill in a cost effective, secure, and sustainable way with a performant, high-quality user experience. In practice a lot of this is reflected by how well the platform is administered.

Where Splunk Cloud effectively resolves some of the administrational hurdles, Splunk Enterprise still requires a lot of effort to manage.

For many organizations, Splunk Enterprise is the only viable option – often due to legal or strategic reasons - this means that they need to find a way to manage the platform effectively to unlock the technology’s potential.

This is a very daunting and hard task to solve - or at least has been until now!

Introducing CCA for Splunk

Continuous Configuration Automation (CCA) is a framework that solves Splunk Enterpriseconfiguration management in a secure, efficient, and scalable way through rigorous structure and standardization together with an automation first approach throughout all aspects of the platform’s full lifecycle.

The framework utilizes the power of Ansible to automate the everyday tasks done by Splunk Enterprise admins through smart Playbooks & Roles that intelligently interact with configuration on servers through SSH. No more hands-on servers!

The other central part is git which is used to centrally store both the Ansible library of playbooks & roles and an abstraction of Splunk Enterprise configurations. This means that CCA only operates indirectly by first making changes in git, verifying them and then pushing them out. Nothing is added to the Splunk Enterprise installation!

CCA comes with cca_ctrl, a UI built in Whiptail for compatibility in any terminal to execute the Ansible Playbooks to select Roles. Easy and effective in all its simplicity!

Most importantly, CCA for Splunk is a collaborative framework made by and for Splunk professionals. It provides a wealth of knowledge and best-practices, based on years of experience in both operating and automating Splunk Enterprise, packaged into code. Behind the tool lies thousands of development hours by senior Splunk Architects and Admins - and the development continues where the features capabilities are continuously being improved, driven by Splunk evolution and the use of the framework in organizations throughout their data journeys.

What’s the benefits of CCA for Splunk

The effort needed to operate Splunk Enterprise in an efficient, performant and secure way can typically be informed by the complexity stemming from volume, architecture and use cases on one end as well as the requirements around Security, Privacy, Compliance, Performance and Business put on the platform on the other– and to the degree of diligence they are carried out with.

Therefor all users of CCA for Splunk will have different degrees of benefits – more or less in different areas – but these statements provide a general starting point for introspection:

Splunk benefits

Efficient administration is an estimation but based on real life examples where we´ve shown that an automated Splunk upgrade of a clustered environment of around 25 hosts can be reduced by about 80% time or more compared to a manual upgrade following Splunk best-practices. The playbooks in the framework are built around a “no hands-on servers”-principle

which effectively reduce the number of unintentional errors carried out by administrators and innately promotes full configuration consistency across any type and number of environments.

What each part of CCA for Splunk is worth on the other hand is a matter of perceptionand individual characteristics. Each organization have unique goals and expectations around what kind of error and downtime tolerance is acceptable, what level of diligence is expected in terms of upholding compliance, how fast is fast enough data onboarding and so forth. It might be anything from a couple of hours saved to avoiding business-critical disasters.

What we can say is that CCA for Splunk will make any organisation faster, more efficient and the Splunk environment will be more resilient to user errors. The nature of automationdemands standardization and thereby some of the hardest things like version control, complianceand consistency becomes relative effortless by design.

CCA for Splunk does more - and better - with less. If you want another perspective on CCA for Splunk in relation to Splunk Enterprise, read the Splunk Lantern article on Automating Splunk Enterprise administration with a Continuous Configuration Automation framework.

Does CCA for Splunk support Splunk Cloud?

The same benefits are extended to Splunk Cloud as well. Given it is a SaaS solution, it doesn´t require the same needs or offer the abilities to administrate as Splunk Enterprise – but that´s not to say it doesn´t offer some very potent and valuable capabilities for any Splunk Cloud customer.

For an existing Splunk customer planning a transition from Splunk Enterprise to Splunk Cloud, CCA for Splunk can be an excellent companion tool as it makes both the transition itself much easier due to its innate capability to extract and abstractthe full configuration. This makes it much easier to get a complete pictureof the current state and from there plan and perform the necessary changesto move for example indexing & search capabilities and apps to Splunk Cloud.

Once Splunk Cloud is active, CCA for Splunk can continue to play an important part in operating the data on-prem and in-the-cloud that need to be maintained for ingestion. CCA for Splunk can therefore act as a co-pilot to Splunk Cloud and make sure that the outside footprint is managed sustainable with automation.

Over time we envision to incorporate more and more of the administrative capabilities offered through Splunk Cloud ACS and API to offer a streamlined experience independent of what, where or how Splunk solutions are operated.

If you want another perspective on CCA for Splunk in relation to Splunk Cloud, read the Splunk Lantern article on Automating Splunk Cloud Platform administration with a Continuous Configuration Automation framework.

Versions of CCA for Splunk

The CCA for Splunk framework is developed and maintained by the Data Tribe, part of Orange Cyberdefense Sweden. From day one, the development have approached Splunk automation from a multifaceted approach where the same code base can be used to solve multiple problems in different arenas.

Open source (Free)

Originally released as an open source project at Splunk .conf22, this version is free to use under the MIT license. It provides a great starting point for any automation journey and transparency into the code, to raise quality and trust, but it is unsupported and non-commercial.

Managed (Internal)

Orange Cyberdefense offers a Managed Service for Splunk Enterprise that covers the full management of Splunk Enterprise, where CCA for Splunk is the core the services run through. This is the best solution for Splunk customers who fully want to outsource the management of Splunk. The Managed service is available as part of Orange Cyberdefense global portfolio offerings.

Premium (Commercial)

CCA for Splunk is designed to be a companion tool for Splunk administrators in any type of Enterprise. As any tool, it requires a lot of competence from the user to wield effectively. For Splunk Enterprise customers who want to start their automation journey with CCA for Splunk with support and additional enterprise functionality, we offer a complete package of both technology and supporting services in the CCA for Splunk Premium portfolio.

The CCA for Splunk Premium portfolio

We want to close the gap between technology complexity and business value in all aspects of Splunk. It is with this in mind that we have developed the CCA for Splunk Premium portfolio where the commercial version of CCA for Splunk provides a gateway to technologies and services that offers more features, greater capabilities and enhance the Splunk experience both inside and outside of the platform.

CCA for Splunk Premium

This is the cornerstone of the Premium portfolio of which everything else is built around and is effectively a requirement for all Extensions and Services. It includes the full library of functions and features of CCA for Splunk including highlights like:

  • Splunk Access and Index Design to manage naming conventions and meta data in a way that optimize Splunk resources
  • Splunk Smart Store Design and Implementation to maximize cloud cost efficiency
  • Splunk Deployment Server Design to manage organizational growth and management of many thousands of clients
  • RESTful API that allows for all sorts of integrations to external systems
  • GIT config tracking to further secure the business-critical configuration and meet compliance requirements
  • Enterprise Authentication support to securely integrate with enterprise identity solutions
  • Compliance Check to get a full view of the status of security settings, patch levels, certificate status and vulnerable settings
  • Upgrade extensions to add further backups prior to major Splunk Enterprise upgrades
  • Splunk Support Helper to easily collect both Splunk support files and OS metrics
  • Splunkbase App Helper to assist in updates and version compatibility
  • Resilient Log ingestion to handle Splunk internal insights in case of Index Cluster issues
  • Universal Forwarder Auto Tuning to accommodate data ingest when application logs increase

    (Note: several features are in different stages of development)


Out Subscription provides full support for the CCA for Splunk framework and all premium Extensions. It also provides direct access to download new releases which contains updates for new Splunk version, patches based on Splunk recommendations, framework bugfixes as well as new functions as they become available.

An active subscription is required at all times when operating CCA for Splunk Premium to ensure a high-quality user experience in operating the framework.


The extensions are optional additions to CCA for Splunk Premium which effectively broadens the scope of what CCA for Splunk can do. They are developed with the same care as the framework and works just as well for customers who choose to outsource Splunk Enterprise management via the Managed Service.


Effectively extends CCA for Splunk’s capabilities to create/change/operate the infrastructure in the premium cloud providers:

  • AWS (Amazon Web Services)
  • Azure (Microsoft Azure)
  • GCP (Google Cloud Platform)

The core capabilities and functionality are the same but implemented in accordance to each cloud provider unique technology:

  • Orchestrated Rolling update of OS to support cloud native approaches of Life Cycle Management
  • Orchestrated Rolling upgrade of OS to support OS patching
  • Infrastructure as code to build and extend Splunk Infrastructure without knowledge of terraform
  • Infrastructure scaling to support increasing storage and updates of instance types
  • Load balancer support to manage both application and network load balancers
  • Cloud Security to configure infrastructure resources with best practice


Effectively extends CCA for Splunk’s capabilities to create/change/operate the infrastructure in the premium cloud providers:

  • Splunk Enterprise DevOps LCM* to facilitate real development workflows from dev to production without manual interaction

  • Splunk ITSI DevOps LCM to facilitate real development workflows of ITSI from dev to production without manual interaction. Supports both on-prem and Splunk Cloud workflows.

  • Splunk Cloud DevOps LCM* to facilitate on-prem development and transparent deployment to Splunk Cloud for both apps and general Splunk configuration.

    (Note: * is in early stage of development)

CCA Solutions

Splunk comes with an excellent toolset to create fantastic solutions, both on top of the core platform and within Premium apps. While it is easy to get started with the basics, it requires a lot of Splunk specific competence and domain expertise to build more complex solutions that can both solve the task at hand and evolve over time.

With CCA Solutions, we have packaged years of experience in building solutions with Splunk into code by systematically breaking down all the different elements of the development and implementation process.

In practical terms, this can reduce the time to value from months down to minutes and once in place stay up-to-date and relevant over time.

ITSI Service Monitoring Solution

ITSI (Splunk IT Service Intelligence, Premium app) offers additional capabilities and features on top of Splunk platform to cater for measuring and monitoring any type of service.

The ITSI Service Monitoring Solution enables out-of-the-box and end-to-end Service Monitoring solutions. Each Solution Pack covers Service Model logic, KPI base searches, Thresholding templates, Notable Event Aggregation policies based on best-practice utilization of data from common infrastructures and applications.

The ITSI Service Monitoring Solution also comes with a built-in service self-discovery functionality, effectively automating the lifecycle management.

Our ambition is to provide a wide range of Solution Packs for common technologies, and we constantly develop current and new Solution Packs to cover more areas. Current selection of Solution Packs includes:

  • Splunk Enterprise provides infrastructure, roles, functions, services, and premium app insights
  • Cloud platform: Azure provides host and infrastructure insights
  • Cloud platform: AWS provides host and infrastructure insights
  • Cloud platform: GCP provides host and infrastructure insights
  • Cloud platform: OTEL provides host and infrastructure insights
  • OS: Linux provides host and infrastructure insights
  • OS: Windows provides host and infrastructure insights
  • Application: SQL provides host, cluster, performance, and error insights

    (Note: the solution packs are in different stages of development)

CCA Services

To aid with implementation, utilizing and developing the framework we also offer services supported by the same behind CCA for Splunk.

Implementation project to start the automation journey right with CCA for Splunk Premium and any Extensions.
Training – documentation and hands-on education covering all parts necessary to operate CCA for Splunk in your line organization.
Development – from customization/additions to existing feature set to complete new tailormade extensions to CCA for Splunk for specific needs.

Do you want to learn more about CCA for Splunk?

If you are interested in boosting you Splunk automation journey with CCA for Splunk, please contact us through this form and we will be happy to help!

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.