Elastic Support: An Investment That Keeps Paying Off at Symantec

Even with 18 years of search experience and a PhD in computer science, this senior Symantec engineer finds value in Elastic’s dedicated support and training.


When Geena Rollins (in/rollins) joined Symantec, a Fortune 500 global leader in enterprise and consumer cybersecurity and maker of Norton Antivirus, as a search expert, she led their transition from Solr 3 to Elasticsearch. Since then, Geena has become an Elasticsearch specialist for Symantec, consulting with many internal groups using the open source software throughout the company.

How did she become so knowledgeable? As Geena says, “I’ve become an Elasticsearch expert, and the way I got there was through training and support. I have a good search background and a lot of experience, but there’s still a lot of value in support for me. It continues to pay off.”

We sat down with Geena, senior principal software engineer, and her dedicated Elastic support engineer, Greg Nieman, to dive deeper into how they work together to keep the Symantec Elasticsearch deployments firing on all cylinders.

Please note that this interview has been edited for length and clarity. Geena notes that all opinions she expresses below are solely her own and may or may not reflect those of Symantec.


So tell us about Symantec’s decision to engage with Elastic support. How did it come about?

Geena: After we decided to migrate to Elasticsearch, I needed to learn more about it because I hadn't used it before. I could learn a lot of stuff on my own, but I signed up for a training session and gained more knowledge quickly.  

Then we signed up for a platinum subscription. I started with some small tickets and then they got more interesting as time went on. I knew Greg only through the support ticket system at first, and we had a good rapport there. Then we met at Elastic{ON}15, which helped further develop our relationship.

Greg, from your perspective, how has the customer relationship with Geena and Symantec evolved?

Greg: The initial questions and tickets were pretty much about standing up clusters and all the little gotchas that you encounter when you're trying to get everything up, running, and tuned to the point where you’re getting acceptable performance. You’re not getting crashes or the standard newbie kinds of things that happen when you're picking your way through the landscape for the first time.

It’s a teaching process, so as Geena and Symantec became more comfortable with things in the early tickets, they could move on to more connected, complex scenarios, and now they’re using the product in new and interesting ways where we can help.

And because we have engineers who are extremely deep and know the internals of the products, support saves Symantec time and effort. You don't go down a path where you say, “This looks fine now,” but in another two or three years, you think, “Oh, wow, I wish I hadn’t done that.” We help you find those things way in advance. You can’t underestimate the value of something like that.

Geena: As Greg said, it’s an educational process. I started at Symantec two years ago, and at this point I’m considered the Elasticsearch expert in this 10,000-employee company. I did three training sessions, I went to two conferences, and I filed a lot of tickets. That really got me here — plus the documentation, but the documentation only tells you what you can do. When you’re trying to figure out what you want to do for your use case, it’s helpful to have Elastic support.

Geena, can you share how Elastic support has been instrumental in some of your success at Symantec?

Geena: I've used Lucene directly for years, so I don't file tickets about data modeling or analyzers, but about the distributed system. For example, we had a system where we were doing event logging from security events, so all the machines out there from our customers were sending us events like “Antivirus definitions were updated” or “There was a failed phishing attack.” We have a daily index that we can search and aggregate on that data. We noticed that some of our queries that searched more than 14 days worth of events were really slow. Not only were they slow, but we were getting search rejections because the queue was filling up. So I put in a ticket for that.

I asked, “Why is the queue filling up? It’s only 14 days.”

Greg writes back and explains that it depends on how many shards you search, so if you have five shards in 14 days, that multiplies out to 70 shards. And if you search 90 days of shards, it’s pretty much hopeless. What happens is that when you do a search, it creates an item on the thread queue for each shard that you search. Then it really adds up. Coming to understand this was really important for getting our application to work with many users searching at the same time.

Greg, would you elaborate on scenarios in which you've been able to proactively help Geena and the team with their environment?

Greg: Geena and her team are fairly adept, so they don’t necessarily need a lot of guidance on the things that are mapped out explicitly. What they generally come to me for are explanations of how things work. Like, how does the number of shards that you have impact your actual search, especially when you have this many indexes? Or, when you get a rejection, what’s the process going on behind the scenes in the actual execution queues? How are those things queued up, and why do you get a rejection versus the next one going through? Things like that. It’s a more consultative relationship. It’s a conversation, and at the end, the results of the conversation tend to present the solution.

Symantec has been engaged with Elastic for two years now. What makes it worthwhile?

Geena:The educational part makes it worthwhile, like learning not just the number of shards to use but why. I can do that for a lot of use cases now, we can make good decisions, and some shard counts are going to be different for different use cases. The Elastic ecosystem keeps expanding with new features and products. Now that I consult for so many Norton Engineering product groups, I need to learn quickly.

Having a dedicated support engineer is having a mentor that helps me grow. This gives me confidence in my technical knowledge when speaking with my engineering colleagues at Symantec.

Is there anything we haven't asked that you would like to add?

Geena: The best thing I can say is that even though I have a PhD in computer science and I've been doing search applications since 1998, I still get a lot of value out of Greg's support. Even after two years, I'm just running into more interesting challenges, and it keeps paying off. 

Interested in other customer stories? Check out USAA's cybersecurity use case with the Elastic Stack or Vandis' centralized logging and syslog threat analysis story.