Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Curate Splunk knowledge with Manager

As your organization uses Splunk, knowledge is added to the base set of event data indexed within it. Searches are saved and scheduled. Tags are added to fields. Event types and transactions that group together sets of events are defined. Lookups and workflow actions are engineered.

The process of knowledge object creation starts out slow, but can get complicated over time. It's easy to reach a point where users are "reinventing the wheel," creating searches that already exist, designing redundant event types, and so on. These things may not be a big issue if your user base is small, but they can cause unnecessary confusion and repetition of effort, especially as they accumulate over time.

This chapter discusses how knowledge managers can use Manager to take charge of the knowledge objects in their Splunk system and show them who's boss. Manager can give a savvy and attentive knowledge manager insight into what knowledge objects are being created, who they're being created by, and (to some degree) how they are being used.

With Manager, you can easily:

  • Create knowledge objects as necessary, either "from scratch" or through object cloning.
  • Review knowledge objects as they are created, with an eye towards reducing redundancy, ensuring that naming standards are followed, and that "bad" objects are removed before they develop lots of downstream dependencies.
  • Ensure that knowledge objects with relevancy beyond a particular working team, role, or app are made available to other teams, roles, and users of other apps.
  • Delete knowledge objects that do not have significant "downstream" dependencies.

Note: This chapter assumes that as a knowledge manager you have an admin role or a role with an equivalent permission set.

This chapter contains topics that will show you how to:

Using configuration files instead of Manager

In previous releases Splunk users edited Splunk's configuration files directly to add, update, or delete knowledge objects. Now they can use Manager, which provides a user-friendly interface with those very same configuration files.

We do recommend having some familiarity with configuration files. The reasons for this include:

  • Some Manager functionality makes more sense if you understand how things work at the configuration file level. This is especially true for the Field extractions and Field transformations pages in Manager.
  • Functionality exists for certain knowledge object types that isn't (or isn't yet) expressed in the Manager UI.
  • Bulk deletion of obsolete, redundant, or improperly defined knowledge objects is only possible with configuration files.
  • You may find that you prefer to work directly with configuration files. For example, if you're a long-time Splunk user, brought up on our configuration file system, it may be the medium in which you've grown accustomed to dealing with knowledge objects. Other users just prefer the level of granularity and control that configuration files can provide.

Wherever you stand with Splunk's configuration files, we want to make sure you can use them when you find it necessary to do so. To that end, you'll find that the Knowledge Manager manual includes instructions for handling various knowledge object types via configuration files. For more information, see the documentation of those types.

For general information about configuration files in Splunk, see the following topics in the Admin manual:

You can find examples of the current configuration .spec and .example files in the "Configuration file reference" chapter of the Admin manual.

Prerequisites for knowledge management
Monitor and organize knowledge objects

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters