Step 4: Add objects
Objects are configurations within your app that are local in scope and permissionable. This means that objects can be scoped to an app and can have read and write permissions set. For example, saved searches are objects that only show up within a given app (unless configured to be global). Users can be granted read only or read/write permissions on any saved search.
When you build an app, you typically add a number of objects that add knowledge to your app, making it more useful. The Knowledge Manager Manual covers the objects available from Splunk, and also covers their configuration details.
Available object types
Here's a list of object types available in Splunk:
- Saved searches
- Event types
- Dashboards, form searches, and other views
- Field extractions
- Search commands
Each of these object types has a use within your app. Use this page as a reference to figure out which objects you want to use, then refer to the topic in the Knowledge Manager Manual to learn more about how to configure the object you want.
Saved searches and reports
Saved searches and reports are the building block of most Splunk apps. Use saved searches and reports to dynamically capture important pieces of your data. Display them in your app on a dashboard, or add them to a drop-down menu in Splunk Web to run as needed. Use saved searches as a shortcut to launch interesting and relevant searches into whatever data you've loaded into your app. Saved searches are useful when building dashboards as you can schedule your saved search to run and collect data so that when your dashboard loads, the search results are already available.
Configure event types to capture and share knowledge in your app. Learn more about event types in the Knowledge Manager manual.
Splunk automatically extracts fields from your data. You may want to add in your own custom fields to your app, however. For example, you may have some custom data in your app that you want to showcase in your results by creating a new field. Read more about fields in the Knowledge Manager manual.
Tags are another way to add metadata to your data. Any tags you create you can add to your app. Read more about tags in the Knowledge Manager Manual.
Customize Splunk's UI by building views. Views include dashboards and search views and present the knowledge objects you've built in your app. Dashboards generally contain links to relevant searches, as well as any reports you want to display upon loading your app. Search views let you run searches on an ad-hoc basis.
Permissions for objects
Set default permissions for objects in your app in Step 5: set permissions.
Step 3: Add configurations
Step 5: Set permissions
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18