Splunk Enterprise — Knowledge Objects

Table of Contents

  1. Preface
  2. Knowledge Objects
  3. Settings
  4. Management
  5. Debrief

1. Preface

I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit Splunk for the official learning courses

Splunk Q&A Study Guide:

Part 1

Part 2

Part 3

Splunk Enterprise — Q&A — Fields

2. Knowledge Objects

Knowledge objects are tools that let you discover and analyze your data, the primary types of knowledge objects are

  • fields
  • field extractions — regex/delimiter
  • field aliases — normalize data
  • calculated fields — perform calculations based on the values of existing fields
  • lookups — additional fields and values that are not contained in your data can be added to your events using a lookup, based on sources such as CSV and can be configured to append additional fields to events found in your search
  • event types — provides a way to help you categorize your data by saving search terms to an event type
  • tags — field value pairs can be saved as tags, which are labels for your data and can be used in search like event types
  • workflow actions — workflow actions provide links within events that interact with external resources or narrow our search and use the HTTP POST or HTTP GET method
  • reports — saved searches
  • alerts — saved searched that provide notifications
  • macros — search string or portions of search strings that can be reused in multiple places within Splunk, allow you to store entire search strings, including commands
  • data models — hierarchically structured datasets that can consist of three types of datasets: events, searches, and/or transactions, can also be used in Pivot to explore data in a graphical interface without ever having to understand the Splunk search language

As a knowledge manager you have to know how your colleagues will use knowledge objects to help you create, edit, and manage them

3. Settings

Developing a naming convention will help Users know exactly what each knowledge object does and will help keep the Splunk toolbox uncluttered, it is suggested to name objects using six segmented keys

  • Group
  • Type
  • Platform
  • Category
  • Time
  • Description

OPS_WFA_NETWORK_SECURITY_NA_IPWHOISACTION, in order

Permission play a major role when creating and sharing knowledge objects Splunk and there are thee predefined ways knowledge objects can be displayed to users:

  • Private
  • Specific App
  • All Apps

Users creates an object it is automatically set to Private and only available to that user,

Power and admin users are allowed to create knowledge objects that can be shared for all users of an app, they may allow other roles to edit the object by granting their role with write permissions, or hide it from them by removing read permissions,

an admin is the only user role that is allowed to make knowledge objects available to all apps, as with “shared in app” objects these are automatically made readable to all users, but the admin an choose to grant read and write access per role, admins can also read and edit private objects created by any role

4. Management

Knowledge objects can be centrally managed under the Knowledge header in the Settings menu, from there you can manage objects by type, once in a management page you will be able to filter and see actions that can be applied to the objects, these might include changing permissions, editing, moving, and deleting objects, your role will determine your ability to modify an object’s settings,

If you are not sure which management page to use for your knowledge object you can use the All Configurations page to see all objects on the deployment,

Users with an admin role will see a “Reassign Knowledge Objects” button ownership of knowledge objects can be assigned to another user,

this is especially helpful when you have a user that has left the organization but has knowledge objects that should live on within the deployment

5. Debrief

I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more notes in the future.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store