Splunk - Knowledge Management

Advertisements
Previous Page
Next Page  

Splunk knowledge management is about maintenance of knowledge objects for a Splunk Enterprise implementation. Below are the main features of knowledge management.

  • Ensure that knowledge objects are being shared and used by the right groups of people in the organization.

  • Normalize event data by implementing knowledge object naming conventions and retiring duplicate or obsolete objects.

  • Oversee strategies for improved search and pivot performance (report acceleration, data model acceleration, summary indexing, batch mode search).

  • Build data models for Pivot users.

Knowledge Object

It is a Splunk objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users. The examples of knowledge object are, saved searches, tags, field extractions, and lookups etc.

Uses of Knowledge Objects

On using the Splunk software the knowledge objects are created and saved. But they may contain duplicate information, or they may not be used effectively by all the intended audience. To address such issues, we need to manage these objects. This is done my classifying them properly and then using proper permission management to handle them. Below is the classification and use of various knowledge objects.

  • Fields and field extractions - Fields and field extractions is the first layer of Splunk software knowledge. The fields automatically extracted from the Splunk software from the IT data help bring meaning to the raw data. The manually extracted fields expand and improve upon this layer of meaning.

  • Event types and transactions - Use event types and transactions to group together interesting sets of similar events. Event types group together sets of events discovered through searches. Transactions are collections of conceptually-related events that span time.

  • Lookups and workflow actions - Lookups and workflow actions are categories of knowledge objects that extend the usefulness of your data in various ways. Field lookups enable you to add fields to your data from external data sources such as static tables (CSV files) or Python-based commands. Workflow actions enable interactions between fields in your data and other applications or web resources, such as a WHOIS lookup on a field containing an IP address.

  • Tags and aliases - Tags and aliases are used to manage and normalize sets of field information. You can use tags and aliases to group sets of related field values together, and to give extracted fields tags that reflect different aspects of their identity. For example, you can group events from set of hosts in a particular location (such as a building or city) together--just give each host the same tag. Or maybe you have two different sources using different field names to refer to same data--you can normalize your data by using aliases (by aliasing clientip to ipaddress, for example).

  • Data models - Data models are representations of one or more datasets, and they drive the Pivot tool, enabling Pivot users to quickly generate useful tables, complex visualizations, and robust reports without needing to interact with the Splunk software search language. Data models are designed by knowledge managers who fully understand the format and semantics of their indexed data. A typical data model makes use of other knowledge object types.

We will see some of the examples of these knowledge objects in the subsequent chapters.

Previous Page
Print
Next Page  
Advertisements
img img img img img img

© Copyright 2019. All Rights Reserved.