Prerequisites for knowledge management
Most knowledge management tasks are centered around "search time" event manipulation. In other words, a typical knowledge manager usually doesn't focus their attention on work that takes place before events are indexed, such as setting up data inputs, adjusting event processing activities, correcting default field extraction issues, creating and maintaining indexes, setting up forwarding and receiving, and so on.
However, we do recommend that all knowledge managers have a good understanding of these concepts. A solid grounding in these subjects enables knowledge managers to better plan out their approach towards management of knowledge objects for their deployment...and it helps them troubleshoot issues that will inevitably come up over time.
Here are some topics that knowledge managers should be familiar with, with links to get you started:
- Inherit a Splunk Enterprise deployment: If you have inherited a Splunk Enterprise deployment, you can find more information on your deployment's network characteristics, data sources, user population, and knowledge objects in the "Introduction" in the Inherited Deployment manual.
- Working with Splunk apps: If your deployment uses more than one Splunk app, you should get some background on how they're organized and how app object management works within multi-app deployments. See "What's an app?", "App architecture and object ownership", and "Manage app objects" in the Admin manual.
- Configuration file management: Where are the configuration files? How are they organized? How do configuration files take precedence over each other? See "About configuration files" and "Configuration file precedence" in the Admin manual.
- Indexing incoming data: What is an index and how does it work? What is the difference between "index time" and "search time" and why is this distinction significant? Start with "About indexes and indexers" in the Managing Indexers and Clusters manual and read the rest of the chapter. Pay special attention to "Index time vs search time".
- Getting event data into your Splunk deployment: It's important to have at least a baseline understanding of Splunk data inputs. Check out "What Splunk can index" and read the other topics in the Getting Data In manual as necessary.
- Understand your forwarding and receiving setup: If your Splunk deployment utilizes forwarders and receivers, it's a good idea to get a handle on how they've been implemented, as this can affect your knowledge management strategy. Get an overview of the subject at "About forwarding and receiving" in the Forwarding Data manual.
- Understand event processing: It's a good idea to get a good grounding in the steps that Splunk software goes through to "parse" data before it indexes it. This knowledge can help you troubleshoot problems with your event data and recognize "index time" event processing issues. Start with "Overview of event processing" in the Getting Data In manual and read the entire chapter.
- Default field extraction: Most field extraction takes place at search time, with the exception of certain default fields, which get extracted at index-time. As a knowledge manager, most of the time you'll concern yourself with search-time field extraction, but it's a good idea to know how default field extraction can be managed when it's absolutely necessary to do so. This can help you troubleshoot issues with the
sourcetypefields that Splunk software applies to each event. Start with "About default fields" in the Getting Data In manual.
- Managing users and roles: Knowledge managers typically do not directly set up users and roles. However, it's a good idea to understand how they're set up within your deployment, as this directly affects your efforts to share and promote knowledge objects between groups of users. For more information, start with "About users and roles" in the Admin manual, and read the rest of the chapter as necessary.
Why manage Splunk knowledge?
Manage knowledge objects through Settings pages
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4