Curate Splunk knowledge with Manager
As your organization uses Splunk, knowledge is added to the base set of event data indexed within it. Searches are saved and scheduled. Tags are added to fields. Event types and transactions that group together sets of events are defined. Lookups and workflow actions are engineered.
The process of knowledge object creation starts out slow, but can get complicated over time. It's easy to reach a point where users are "reinventing the wheel," creating searches that already exist, designing redundant event types, and so on. These things may not be a big issue if your user base is small, but they can cause unnecessary confusion and repetition of effort, especially as they accumulate over time.
This chapter discusses how knowledge managers can use Manager to take charge of the knowledge objects in their Splunk system and show them who's boss. Manager can give a savvy and attentive knowledge manager insight into what knowledge objects are being created, who they're being created by, and (to some degree) how they are being used.
With Manager, you can easily:
- Create knowledge objects as necessary, either "from scratch" or through object cloning.
- Review knowledge objects as they are created, with an eye towards reducing redundancy, ensuring that naming standards are followed, and that "bad" objects are removed before they develop lots of downstream dependencies.
- Ensure that knowledge objects with relevancy beyond a particular working team, role, or app are made available to other teams, roles, and users of other apps.
- Delete knowledge objects that do not have significant "downstream" dependencies.
Note: This chapter assumes that as a knowledge manager you have an admin role or a role with an equivalent permission set.
This chapter contains topics that will show you how to:
- Keep your knowledge object collections normalized and orderly.
- Develop naming conventions for your knowledge objects that will make them easier to understand and use.
- Use the Common Information Model to normalize your event data.
- Manage your knowledge object permissions. Make a knowledge object available to users of a specific app, users with a specific role, or users of all apps (what we call "global" permissions).
- Disable or delete knowledge objects. Understand the restrictions on knowledge object deletion. Know the risks of deleting knowledge objects with downstream dependencies.
Using configuration files instead of Manager
In previous releases Splunk users edited Splunk's configuration files directly to add, update, or delete knowledge objects. Now they can use Manager, which provides a user-friendly interface with those very same configuration files.
We do recommend having some familiarity with configuration files. The reasons for this include:
- Some Manager functionality makes more sense if you understand how things work at the configuration file level. This is especially true for the Field extractions and Field transformations pages in Manager.
- Functionality exists for certain knowledge object types that isn't (or isn't yet) expressed in the Manager UI.
- Bulk deletion of obsolete, redundant, or improperly defined knowledge objects is only possible with configuration files.
- You may find that you prefer to work directly with configuration files. For example, if you're a long-time Splunk user, brought up on our configuration file system, it may be the medium in which you've grown accustomed to dealing with knowledge objects. Other users just prefer the level of granularity and control that configuration files can provide.
Wherever you stand with Splunk's configuration files, we want to make sure you can use them when you find it necessary to do so. To that end, you'll find that the Knowledge Manager manual includes instructions for handling various knowledge object types via configuration files. For more information, see the documentation of those types.
For general information about configuration files in Splunk, see the following topics in the Admin manual:
You can find examples of the current configuration
.example files in the "Configuration file reference" chapter of the Admin manual.
Prerequisites for knowledge management
Monitor and organize knowledge objects
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18