Develop naming conventions for knowledge objects
Develop naming conventions for knowledge objects
We suggest you develop naming conventions for your knowledge objects when it makes sense to do so. If the naming conventions you develop are followed consistently by all of the Splunk users in your organization, you'll find that they become easier to use and that their purpose is much easier to discern at a glance.
You can develop naming conventions for just about every kind of knowledge object in Splunk. Naming conventions can help with object organization, but they can also help users differentiate between groups of saved searches, event types, and tags that have similar uses. And they can help identify a variety of things about the object that may not even be in the object definition, such as what teams or locations use the object, what technology it involves, and what it's designed to do.
Early development of naming conventions for your Splunk implementation will help you avoid confusion and chaos later on down the road.
Use the Common Information Model
Splunk's Common Information Model provides strategies for normalizing your approach to extracted field names, event type tagging, and host tagging. It includes:
- A list of standard custom fields
- An event type tagging system
- Lists of standard host tags
For more information, see "Understand and use the Common Information Model" in this manual.
Example - Set up a naming convention for saved searches
You work in the systems engineering group of your company, and as the knowledge manager for your Splunk implementation, it's up to you to come up with a naming convention for the saved searches produced by your team.
In the end you develop a naming convention that pulls together:
- Group: Corresponds to the working group(s) of the user saving the search.
- Search type: Indicates the type of search (alert, report, summary-index-populating)
- Platform: Corresponds to the platform subjected to the search
- Category: Corresponds to the concern areas for the prevailing platforms.
- Time interval: The interval over which the search runs (or on which the search runs, if it is a scheduled search).
- Description: A meaningful description of the context and intent of the search, limited to one or two words if possible. Ensures the search name is unique.
| Group | Search type | Platform | Category | Time interval | Description |
|---|---|---|---|---|---|
| SEG NEG OPS NOC | Alert Report Summary | Windows iSeries Network | Disk Exchange SQL Event log CPU Jobs Subsystems Services Security | <arbitrary> | <arbitrary> |
Possible saved searches using this naming convention:
- SEG_Alert_Windows_Eventlog_15m_Failures
- SEG_Report_iSeries_Jobs_12hr_Failed_Batch
- NOC_Summary_Network_Security_24hr_Top_src_ip
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.