ankit bhagat
← back to selected work

Splunk — 2021 — 2024

Re-architecting Log Observer and laying the foundation for Unified Identity

The problem

Log Observer was Splunk's point-and-click logs exploration tool — but query latency on the core search path was painful, and pain in incident troubleshooting is the worst kind of pain (people are angry and watching). On top of that, Splunk Enterprise customers with years of data and workflows in the older platform had no clean way to use Log Observer against their existing data — the two platforms were islands. A bridge was needed, and it needed to be performant enough that customers would actually use it mid-incident.

What I led

  • Re-architected the core Log Observer search path — owned the design, wrote the critical code, and shepherded the perf-regression work.
  • Served as tech lead — architecture decisions, the code review bar, roadmap partnership with PM.
  • Led the team's contribution to the Unified Identity foundation that the EM-era team would later scale.
  • Drove the technical side of customer onboarding; PM, CS, and field engineering did the rest.

What we shipped

  • 60% query-latency improvement on the core Log Observer search path.
  • 200+ customers onboarded to Log Observer Connect — adoption driven by live use during incident troubleshooting (the strongest possible signal).
  • Foundation of Unified Identity that became the EM-era platform ship.
  • New integrations across the Observability platform, taken from architecture to GA with PM.

What I'd do differently

Built a perf-regression harness before the rewrite, not after. The 60% gain was real but hard to defend in reviews without baseline benchmarks I'd locked down earlier.