View app and add-on objects
When you create an app or add-on, Splunk Enterprise creates a collection of objects that makes up the app or add-on. These objects can include views, commands, navigation items, event types, saved searches, reports, and so on.
In addition, each app object has role-based permissions associated with it that determine who can view or edit the object. By default, the Splunk Enterprise admin user has write permissions and can edit all objects across the system.
Use Splunk Web to view all objects that pertain to a specific app or add-on, as follows:
- In Splunk Web, click Settings > All configurations.
- In the App context menu, select the name of the app whose objects you want to view.
- Select the Show only objects created in this app context check box.
For more information, see:
Identify apps that use the KV store
The KV store resides on every Splunk Enterprise version 6.2 or later instance by default and is often active on search heads. KV store can maintain state information about apps. In addition, some apps, like Enterprise Security, use the KV store for lookups. KV store replicates its data across search heads using port 8191 by default. KV store processes are independent of a search head cluster's processes.
Discover KV store members using the Splunk command line interface. See About the CLI in the Admin Manual.
- Log in to a search head.
./splunk show kvstore-status
Make note of the following:
- Whether disabled is 1 or 0.
- Which nodes are members of the KV store cluster.
- The port number that KV store is using.
Add the KV store members and port numbers to your deployment diagram. This command also returns information on which node is captain, but this information is not useful at this stage. Captaincy can change, so leave this detail off of your diagram.
Next, determine which apps, if any, use the KV store.
Apps that use the KV store have
collections.conf defined in
$SPLUNK_HOME/etc/apps/<app name>/default. In addition,
transforms.conf has references to the collections with
external_type = kvstore.
For a list of apps that have collections defined:
- Log in to a search head.
- At the command line, from the Splunk installation directory, type
./splunk btool collections list --debug
- In the results, look for items in
For more information, see:
Identify deployment apps
Distributed Splunk Enterprise deployments use the deployment server to distribute app and configuration file updates to groups of Splunk Enterprise components, such as forwarders, non-clustered indexers, and search heads. These apps and configuration files are called deployment apps. Deployment apps reside on a Splunk Enterprise instance that has been assigned the deployment server role, and are located in the directory
View your deployment apps in Splunk Web:
- Identify which Splunk Enterprise instance is assigned the deployment server role. For help discovering the correct Splunk Enterprise instance, see Discover management components in this manual.
- Log in to the deployment server.
- Click Settings > Forwarder management.
- On the Forwarder Management page, note the following:
- Apps. Apps are the deployment apps currently being distributed by the deployment server.
- Clients. Clients are the remote Splunk Enterprise instances to which the deployment server distributes the deployment apps.
- Server Classes. Server classes are groups of deployment clients. The server class determines the specific set of clients that receive the app update.
- Record server classes on your deployment diagram.
View your deployment apps using the file system on the deployment server:
- Log in to the machine hosting the deployment server.
- Go to
- Make note of the apps currently being distributed by the deployment server.
For more information, see:
For information on deploying apps to search head clusters, indexers, and indexer clusters, see:
Download apps from Splunkbase
Splunk offers a large number of apps and add-ons, free and for purchase, that can help you extend your data ingestion, search, and analysis capabilities. Splunk apps and add-ons are available for download at Splunkbase.
Splunk Premium Solutions overview
Splunk Premium Solutions are apps developed by Splunk that provide comprehensive data search and analysis capabilities for specific use cases, such as IT operations analytics, and security threat detection and analysis.
Splunk offers the following Premium Solutions:
ES and ITSI requirements and considerations
Splunk ES and ITSI production deployments can be resource intensive. Depending on several factors, such as the number of concurrent searches, the daily index volume, and the unused capacity of your environment, additional hardware might be required above the baseline Splunk Enterprise hardware. For the latest Splunk Enterprise hardware requirements, see Reference hardware in the Splunk Enterprise Capacity planning manual.
Familiarize yourself with the factors that affect ES and ITSI performance, including the respective number of correlation or KPI searches running and the number of concurrent users on the system. This will help you to evaluate the performance of your system and determine how and when to scale your deployment.
It is important to familiarize yourself with search head and indexer considerations that might impact the configuration of your deployment. For example, Splunk ES requires a dedicated search head, while ITSI does not.
For information on ES performance and capacity planning, as well as search head and indexer considerations, see Deployment planning in the Splunk Enterprise Security Installation and Upgrade Manual
For information on ITSI performance and capacity planning, as well search head and indexer considerations, see Deployment planning in the Splunk ITSI Installation and Configuration Manual.
Splunk Enterprise Security overview
Splunk Enterprise Security (ES) detects patterns in your data and evaluates events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search can create a notable event. The app provides specialized dashboards and visualizations that you can use to you identify, triage, and analyze security incidents.
See the Splunk Enterprise Security documentation.
View your ES correlation searches
View the correlation searches available in Splunk Enterprise Security and those that are enabled to better understand the use cases that Splunk Enterprise Security is being used to detect. To get a list of the correlation searches enabled in Splunk Enterprise Security, you can use a REST search to view the information in a table. See List correlation searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The Content Profile dashboard
Enterprise Security uses data that has been mapped to CIM-specific or ES-specific data models and accelerated to produce faster search results across a broad set of technologies. Review the data models in use in your environment and get an overview of the knowledge objects that correspond to the data models on the Content Profile dashboard. See Content Profile in Use Splunk Enterprise Security.
The Data Model Audit dashboard
In addition, you can review the status of data models on the Data Model Audit dashboard and the retention and acceleration settings for data models. Data models that are not fully accelerated can result in missing or out-of-date information on dashboards or notable events in Splunk Enterprise Security. See Data Model Audit in Use Splunk Enterprise Security and Configure data models for Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.
Learn more about Splunk Enterprise Security
To learn more about important Splunk Enterprise Security concepts and features, see:
Splunk IT Service Intelligence overview
Splunk IT Service Intelligence (ITSI) monitors the health of IT services using key performance indicators (KPIs) that track the severity-level of IT performance metrics. When KPI values meet threshold conditions, ITSI generates a notable event. The app provides features for aggregating and analyzing notable events, as well as dashboards and visualizations that let you continuously monitor IT services and perform root cause investigations.
See the Splunk IT Service Intelligence documentation.
View your ITSI services and service KPIs
Review your services and the KPIs that your services contain. This will help you understand the IT operations and business processes that your services are monitoring, and it will help you identify the performance metrics being used to evaluate service health. It will also help you understand KPI search properties, including source search types (data model, ad hoc, or base search), calculations (search frequency and calculated stat), and severity-level thresholds that determine the KPI health status.
To view your services and service KPIs:
- In the ITSI main menu, click Configure > Services.
- Review the list of services.
- Click on any service. For example, Database Service. The service configuration workflow appears.
- Review the list of KPIs contained by the service. Each KPI represents an IT performance metric, such as CPU Utilization%, Memory Free %, Response Time, and so on.
- Click on any KPI in the list.
- Open the Search and Calculate panel.
- For Source, note the Threshold field. This is the field in your data for which the KPI search returns a value. For example, cpu_load_percent. Click Edit to examine the source search details. Note that base searches, such as those provided by ITSI modules, tend to provide best search performance.
- For Entities, note the entity alias filter settings. This determines the entities against which a KPI search runs.
- For Calculations, note the stat that the KPI calculates, for example Average. Also note the KPI frequency and time range. KPIs can run every 1, 5, or 15 minutes.
- Open the Threshold panel.
- In the threshold preview graph, note the severity-level thresholds set for the KPI. When KPI values meet threshold conditions, the KPI health status changes, for example, from high to critical.
For more information, see:
Review associated entities
Identify the entities associated with your services. Entities are IT components that act as the primary data sources for ITSI services. KPI searches run against entities based on filtering conditions that you define. In more complex ITSI deployments a single entity can be associated with multiple services and have multiple different KPIs running against it.
To view entities associated with a service:
- In the ITSI main menu, click Configure > Entities.
- Review the list of entities. In the services column, note the services associated with each entity.
- For any entity in the list, click View Health.
- Review the entity details page, which shows all of the services the entity is associated with, and all of the KPIs running against the entity.
For more information, see Define Entities in the ITSI Installation and Configuration Manual.
View all ITSI KPIs
Use Splunk Web to view all KPI searches running on the search head. This will give you an idea of the number of concurrent searches contributing to the search load. You can view additional information, including the KPI search string, search frequency, time range, and run times for recent KPI search jobs.
- In Splunk Web, click Setttings > Search, reports, and alerts.
- Select the Show only objects created in this app context checkbox.
All apps created in the ITSI app context appear in the list. KPI search names use the following syntax:
Indicator - <KPI_id> - ITSI Search
Indicator - 3bee62acf7f4de2a095e475f - ITSI Search
- For any KPI search, click View Recent. Note the KPI run time.
- Click on the name of the KPI search. Note the KPI search string, time range, and schedule.
Be aware that average KPI run time, KPI frequency, and the number of entities referenced per KPI, along with the total number of concurrent searches running on the system can markedly impact performance. For more information, see Performance considerations in the ITSI Installation and Configuration Manual.
Learn more about Splunk ITSI
To learn more more about Splunk ITSI, see ITSI concepts and features in the ITSI Installation and Configuration Manual.
About Splunk User Behavior Analytics
Splunk User Behavior Analytics (UBA) helps you find known, unknown, and hidden threats in your environment. You can use Splunk UBA to visualize and investigate internal and external threats and anomalies. Splunk UBA integrates with Splunk Enterprise Security to take advantage of Splunk events and to investigate UBA threats alongside other notable events in your organization.
See the Splunk User Behavior Analytics documentation.