Table of Contents
- Splunk Knowledge Objects
- Splunk Report and Dashboard Creation
I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit splunk for the official learning courses
Splunk Q&A Study Guide
2. Splunk Knowledge Objects
What are knowledge objects?
Knowledge objects are tools that help you and your users discover and analyze your data
What are the 5 categories of knowldge objects?
Data Interpretation, Data Enrichment, Data Classification, Data Normalization, and Data Models
What makes knowledge objects powerful tools for your splunk deployment?
They can be created by one user and shared with other users, based on permission settings, they can be saved and reused by multiple people or in multiple apps, and they can be used in a search
What are the responsibilities of a Knowledge Manager?
They oversee knowledge object creation and usage for a Splunk deployment, implementing naming conventions, normalize event data, and creating data models for pivot users in order to keep the toolbox clean and efficient
What type of search fields does Data Interptetation have?
Fields, field extraction, calculated fields
How does Data Classification help?
It hs event types that allow you to categorize events based on search terms and transactions are groups of conceptually related events that span time
How does Data Enrichment help?
It has lookups which allows you to add other fields and values to your events not included in the index data. The workflow actions let us create links within events that interact with external resources or narrow our search
How does Data Normalization help?
Allows us to use tags to designate decriptive names for key value pairs. They enable you to search for events that contain particular field values, almost like just adding labels to your data. Field aliases give you a way to normalise data over multiple sources. You can assign more than one aliases to any extracted field and apply to fields from a lookup table
How do Data Models help?
Data models are heirarchically structured datasets, which may consist of events, searches, and/or transactions.
3. Splunk Report and Dashboard Creation
Why would you want to save a report?
To be able to reference it in the future without running the same search again
What should the organization do before saving reports?
Define a naming convention in order to keep reports organized and easy to find
Where can you access saved reports?
In the reports tab from the application menu
Who can view a report once it is created?
The owner who created it, but you can change permisions to allow other users in the app to view it as well. All apps in only available to those with an admin role and power users a granted read/write on the report
When setting Run As, which should you choose in order to prevent other from being able to see confidential data?
What do you use to schedule report runs at time intervals?
What different ways are you able to save reports for visual presention in Content?
Bar Chart and Statistics Table, Bar Chart, or Statistics Table
What data can viewed as a chart?
Any data that returns statistical data
After running a search and hovering over an item in the sidebar, what are the report options you can run?
Top values, Top values by time, Rare values, and Events with this field
What can charts be based off on?
Numbers, time, and location
What are the different option to Save As a visualization report?
Report, Dashboard Panel, Alert, or Event Type
What is a Dashboard?
A collection of reports compiled into a single pane of glass allowing you and your users quick visual acces to your data
What options can you choose from when adding a New Panel?
New, New from Report, Clone from Dashboard, and Add Prebuilt Panel