Splunk Enterprise — Q&A — 3

D.M.
4 min readApr 23, 2022

Table of Contents

  1. Preface
  2. Splunk Knowledge Objects
  3. Splunk Report and Dashboard Creation
  4. Debfrief

1. Preface

I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit splunk for the official learning courses

Splunk Q&A Study Guide

Part 1

Part 2

Part 3

2. Splunk Knowledge Objects

What are knowledge objects?

Knowledge objects are tools that help you and your users discover and analyze your data

What are the 5 categories of knowldge objects?

Data Interpretation, Data Enrichment, Data Classification, Data Normalization, and Data Models

What makes knowledge objects powerful tools for your splunk deployment?

They can be created by one user and shared with other users, based on permission settings, they can be saved and reused by multiple people or in multiple apps, and they can be used in a search

What are the responsibilities of a Knowledge Manager?

They oversee knowledge object creation and usage for a Splunk deployment, implementing naming conventions, normalize event data, and creating data models for pivot users in order to keep the toolbox clean and efficient

What type of search fields does Data Interptetation have?

Fields, field extraction, calculated fields

How does Data Classification help?

It hs event types that allow you to categorize events based on search terms and transactions are groups of conceptually related events that span time

How does Data Enrichment help?

It has lookups which allows you to add other fields and values to your events not included in the index data. The workflow actions let us create links within events that interact with external resources or narrow our search

How does Data Normalization help?

Allows us to use tags to designate decriptive names for key value pairs. They enable you to search for events that contain particular field values, almost like just adding labels to your data. Field aliases give you a way to normalise data over multiple sources. You can assign more than one aliases to any extracted field and apply to fields from a lookup table

How do Data Models help?

Data models are heirarchically structured datasets, which may consist of events, searches, and/or transactions.

3. Splunk Report and Dashboard Creation

Why would you want to save a report?

To be able to reference it in the future without running the same search again

What should the organization do before saving reports?

Define a naming convention in order to keep reports organized and easy to find

Where can you access saved reports?

In the reports tab from the application menu

Who can view a report once it is created?

The owner who created it, but you can change permisions to allow other users in the app to view it as well. All apps in only available to those with an admin role and power users a granted read/write on the report

When setting Run As, which should you choose in order to prevent other from being able to see confidential data?

User

What do you use to schedule report runs at time intervals?

Edit Schedule

What different ways are you able to save reports for visual presention in Content?

Bar Chart and Statistics Table, Bar Chart, or Statistics Table

What data can viewed as a chart?

Any data that returns statistical data

After running a search and hovering over an item in the sidebar, what are the report options you can run?

Top values, Top values by time, Rare values, and Events with this field

What can charts be based off on?

Numbers, time, and location

What are the different option to Save As a visualization report?

Report, Dashboard Panel, Alert, or Event Type

What is a Dashboard?

A collection of reports compiled into a single pane of glass allowing you and your users quick visual acces to your data

What options can you choose from when adding a New Panel?

New, New from Report, Clone from Dashboard, and Add Prebuilt Panel

4. Debrief

I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more in the future as it is also helping me study the basics.

Splunk Q&A Study Guide

Part 1

Part 2

Part 3

--

--

D.M.

Experienced Cyber Security/Intelligence Analyst with a demonstrated history of working in the US Military and IT industry.