Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Why manage Splunk Enterprise knowledge?

If you have to maintain a fairly large number of knowledge objects across your Splunk Enterprise deployment, you know that management of that knowledge is important. This is especially true of organizations that have a large number of Splunk Enterprise users, and even more so if you have several teams of users working with Splunk Enterprise. This is simply because a greater proliferation of users leads to a greater proliferation of additional Splunk Enterprise knowledge.

When you leave a situation like this unchecked, your users may find themselves sorting through large sets of objects with misleading or conflicting names, struggling to find and use objects that have unevenly applied app assignments and permissions, and wasting precious time creating objects such as reports and field extractions that already exist elsewhere in the system.

Splunk Enterprise managers provide centralized oversight of Splunk Enterprise knowledge. The benefits that knowledge managers can provide include:

  • Oversight of knowledge object creation and usage across teams, departments, and deployments. If you have a large Splunk Enterprise deployment spread across several teams of users, you'll eventually find teams "reinventing the wheel" by designing objects that were already developed by other teams. Knowledge managers can mitigate these situations by monitoring object creation and ensuring that useful "general purpose" objects are shared on a global basis across deployments.
For more information, see "Monitor and organize knowledge objects" in this manual.
  • Normalization of event data. To put it plainly: knowledge objects proliferate. Although Splunk Enterprise is based on data indexes, not databases, the basic principles of normalization still apply. It's easy for any robust, well-used Splunk Enterprise implementation to end up with a dozen tags that all have been to the same field, but as these redundant knowledge objects stack up, the end result is confusion and inefficiency on the part of its users. We'll provide you with some tips about normalizing your knowledge object libraries by applying uniform naming standards and using the Splunk Enterprise Common Information Model.
For more information, see "Develop naming conventions for knowledge objects" in this manual.
  • Management of knowledge objects through configuration files. True knowledge management experts know how and when to leverage the power of configuration files when it comes to the administration of Splunk Enterprise knowledge. There are certain aspects of knowledge object setup that are best handled through configuration files. This manual will show you how to work with knowledge objects this way.
See "Create search time field extractions" in this manual as an example of how you can manage Splunk Enterprise knowledge through configuration files.
  • Creation of data models for Pivot users. Splunk Enterprise offers the Pivot tool for users who want to quickly create tables, charts, and dashboards without having to write search strings that can sometimes be long and complicated. The Pivot tool is driven by data models--without a data model Pivot has nothing to report on. Data models are designed by Splunk Enterprise knowledge managers: people who understand the format and semantics of their indexed data, and who are familiar with the Splunk Enterprise search language.
See "About data models" in this manual for a conceptual overview of data model architecture and usage.
  • Manage setup and usage of summary-based search and pivot acceleration tools. Large volumes of data can result in slow performance for Splunk Enterprise, whether you're launching a search, running a report, or trying to use Pivot. To speed things up the knowledge manager can make use of report acceleration, data model acceleration, and summary indexing to help ensure that the teams in your deployment can get results quickly and efficiently. This manual shows you how to provide centralized oversight of these acceleration strategies so you can ensure that they are being used responsibly and effectively.
For more information, see "Overview of summary-based search and pivot acceleration" in this manual.
Last modified on 02 September, 2014
What is Splunk knowledge?
Prerequisites for knowledge management

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters