What is Splunk knowledge?
Splunk is a powerful search and analysis engine that helps you see both the details and the larger patterns in your IT data. When you use Splunk you do more than just look at individual entries in your log files; you leverage the information they hold collectively to find out more about your IT environment.
Splunk automatically extracts different kinds of knowledge from your IT data--events, fields, timestamps, and so on--to help you harness that information in a better, smarter, more focused way. Some of this information is extracted at index time, as Splunk indexes your IT data. But the bulk of this information is created at "search time," both by Splunk and its users. Unlike databases or schema-based analytical tools that decide what information to pull out or analyze beforehand, Splunk enables you to dynamically extract knowledge from raw data as you need it.
As your organization uses Splunk, additional categories of Splunk knowledge objects are created, including event types, tags, lookups, field extractions, workflow actions, and saved searches.
You can think of Splunk knowledge as a multitool that you use to discover and analyze various aspects of your IT data. For example, event types enable you to quickly and easily classify and group together similar events; you can then use them to perform analytical searches on precisely-defined subgroups of events.
The Knowledge Manager manual shows you how to maintain sets of knowledge objects for your organization through Splunk Web, Manager, and configuration files, and it demonstrates ways that Splunk knowledge can be used to solve your organization's real-world problems.
Splunk knowledge is grouped into five categories:
- Data interpretation: Fields and field extractions - Fields and field extractions make up the first order of Splunk knowledge. The fields that Splunk automatically extracts from your IT data help bring meaning to your raw data, clarifying what can at first glance seem incomprehensible. The fields that you extract manually expand and improve upon this layer of meaning.
- Data classification: Event types and transactions - You use event types and transactions to group together interesting sets of similar events. Event types group together sets of events discovered through searches, while transactions are collections of conceptually-related events that span time.
- Data enrichment: Lookups and workflow actions - Lookups and workflow actions are categories of knowledge objects that extend the usefulness of your data in various ways. Field lookups enable you to add fields to your data from external data sources such as static tables (CSV files) or Python-based commands. Workflow actions enable interactions between fields in your data and other applications or web resources, such as a WHOIS lookup on a field containing an IP address.
- Data normalization: Tags and aliases - Tags and aliases are used to manage and normalize sets of field information. You can use tags and aliases to group sets of related field values together, and to give extracted fields tags that reflect different aspects of their identity. For example, you can group events from set of hosts in a particular location (such as a building or city) together--just give each host the same tag. Or maybe you have two different sources using different field names to refer to same data--you can normalize your data by using aliases (by aliasing
ipaddress, for example).
- Saved searches - Saved searches are another category of Splunk knowledge. Vast numbers of saved searches can be created by Splunk users within an organization, and thoughtful saved search organization ensures that they are discoverable by those that need them. There are also advanced uses for saved searches: they are often used in dashboards, can be turned into reusable search macros, and more.
The Knowledge Manager manual also includes a chapter on summary indexing. Summary index setup and oversight is an advanced practice that can benefit from being handled by users in a knowledge management role.
At this point you may be asking the question "Why does Splunk knowledge need to be 'managed' anyway?" For answers, see "Why manage Splunk knowledge?", the next topic in this chapter.
Knowledge managers should have at least a basic understanding of data input setup, event processing, and indexing concepts. For more information, see Prerequisites for knowledge management, the third topic in this chapter.
Why manage Splunk knowledge?
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18