When I joined Splunk in 2015, I was quickly tasked with reviving a twice-failed initiative — the creation of a shared component strategy for the core product. At the time, the product was growing rapidly, but also becoming increasingly bloated and monolithic. Feature teams were innovating, but in silos, leading to duplicated code, inconsistent operations, and mounting technical debt.
To keep scaling, we needed a way to build once and reuse across domains — especially as new products like ITSM and SIEM started to share similar analytical needs.
The Problem: No Extensible App Layer
Splunk had some backend extensibility through a Python plugin model, but it was limited in scope:
- No unified approach to versioning, deployment, or configuration
- No framework for frontend/backend interaction
- No consistent way to reuse logic across products or Splunk versions
This lack of structure meant teams were copy-pasting code between products — particularly painful for teams trying to reuse our new analytics engine across both ITSM and SIEM offerings.
The Goal: Reusable, Versioned, Modular Components
I started by interviewing developers, managers, and architects to understand the landscape. The core insight: teams wanted to build reusable modules, but had no reliable path to do so.
We defined a clear goal:
Enable teams to build modular components that could be versioned, bundled into different product releases, and deployed across multiple Splunk versions — with minimal duplication or overhead.
The Solution: Lightweight Adapters + Open Source Tooling
We took a pragmatic, developer-friendly approach rooted in existing tools and standards:
-
For Python components: We introduced versioning and packaging using `pip`. We wrapped services in CherryPy and defined a lightweight adapter layer to expose backend logic as REST APIs.
-
For JavaScript components: We used `npm` for package management and aligned frontend interfaces to consume backend APIs via standard REST calls.
This combination created a consistent, version-controlled way for frontend and backend code to communicate, evolve, and ship independently.
Real-World Use Case: Glasstables in ITSM and SIEM
The first real application of this framework was for our new analytics capability, Glasstables, built initially for the ITSM product. Under the old model, porting it to SIEM would have required duplicating and reworking the logic entirely.
Instead, using the new component framework:
- Shared logic was packaged once and reused across both products
- Frontend teams used standard APIs regardless of backend implementation
- The product architecture was now modular and maintainable
- Version dependencies were explicit, improving upgrade and deployment workflows
The Outcome: Componentization That Delivered Business Value
From design to production, the full project — including the framework and first major use case — shipped in under 12 months. And the results were immediate:
- Faster feature delivery across teams
- Reduced duplication and support complexity
- Glasstables became a core selling point across multiple product lines
- The framework unlocked long-term product modularity across Splunk
What began as a rescue mission for a failed initiative became a key enabler of product growth and a catalyst for license expansion.