Prerequisites for knowledge management
Most knowledge management tasks are centered around "search time" event manipulation. In other words, a typical knowledge manager usually doesn't focus their attention on work that takes place before events are indexed, such as setting up data inputs, adjusting event processing activities, correcting default field extraction issues, creating and maintaining indexes, setting up forwarding and receiving, and so on.
However, we do recommend that all knowledge managers have a good understanding of these "Splunk admin" concepts. A solid grounding in these subjects enables knowledge managers to better plan out their approach towards management of knowledge objects for their deployment...and it helps them troubleshoot issues that will inevitably come up over time.
Here are some of the "admin" topics that knowledge managers should be familiar with, with links to get you started:
- Working with Splunk apps: If your deployment uses more than one Splunk app, you should get some background on how they're organized and how app object management works within multi-app deployments. See "What's an app?", "App architecture and object ownership", and "Manage app objects" in the Admin manual.
- Configuration file management: Where are Splunk's configuration files? How are they organized? How do configuration files take precedence over each other? See "About configuration files" and "Configuration file precedence" in the Admin manual.
- Indexing with Splunk: What is an index and how does it work? What is the difference between "index time" and "search time" and why is this distinction significant? Start with "About indexes and indexers" in the Managing Indexers and Clusters manual and read the rest of the chapter. Pay special attention to "Index time vs search time".
- Getting event data into Splunk: It's important to have at least a baseline understanding of Splunk data inputs. Check out "What Splunk can index" and read the other topics in the Getting Data In manual as necessary.
- Understand your forwarding and receiving setup: If your Splunk deployment utilizes forwarders and receivers, it's a good idea to get a handle on how they've been implemented, as this can affect your knowledge management strategy. Get an overview of the subject at "About forwarding and receiving" in the Distributed Deployment manual.
- Understand event processing: It's a good idea to get a good grounding in the steps that Splunk goes through to "parse" data before it indexes it. This knowledge can help you troubleshoot problems with your event data and recognize "index time" event processing issues. Start with "Overview of event processing" in the Getting Data In manual and read the entire chapter.
- Default field extraction: Most field extraction takes place at search time, with the exception of certain default fields, which get extracted at index-time. As a knowledge manager, most of the time you'll concern yourself with search-time field extraction, but it's a good idea to know how default field extraction can be managed when it's absolutely necessary to do so. This can help you troubleshoot issues with the
sourcetypefields that Splunk applies to each event. Start with "About default fields" in the Getting Data In manual.
- Managing users and roles: Knowledge managers typically do not directly set up users and roles. However, it's a good idea to understand how they're set up within your deployment, as this directly affects your efforts to share and promote knowledge objects between groups of users. For more information, start with "About users and roles" in the Admin manual, and read the rest of the chapter as necessary.
Why manage Splunk knowledge?
Curate Splunk knowledge with Manager
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18