Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Develop naming conventions for knowledge objects

As a best practice, develop naming conventions for your knowledge objects when it makes sense to do so. If the naming conventions you develop are followed consistently by all of the Splunk users in your organization, you will find that they become easier to use and that their purpose is much easier to discern at a glance.

You can develop naming conventions for just about every kind of knowledge object in your Splunk deployment. Naming conventions can help with object organization, but they can also help users differentiate between groups of reports, event types, and tags that have similar uses. And they can help identify a variety of things about the object that may not even be in the object definition, such as what teams or locations use the object, what technology it involves, and what it is designed to do.

Early development of naming conventions for your Splunk deployment will help you avoid confusion and chaos later on down the road.

Example - Set up a naming convention for reports

You work in the systems engineering group of your company, and as the knowledge manager for your Splunk deployment, it is your job to define a naming convention for the reports produced by your team.

You develop a naming convention that combines:

  • Group: Corresponds to the working group(s) of the user saving the search.
  • Search type: Indicates the type of search (alert, report, summary-index-populating).
  • Platform: Corresponds to the platform subjected to the search.
  • Category: Corresponds to the concern areas for the prevailing platforms.
  • Time interval: The interval over which the search runs (or on which the search runs, if it is a scheduled search).
  • Description: A meaningful description of the context and intent of the search, limited to one or two words if possible. Ensures the search name is unique.


Group Search type Platform Category Time interval Description
SEG
NEG
OPS
NOC
Alert
Report
Summary
Windows
iSeries
Network
Disk
Exchange
SQL
Event log
CPU
Jobs
Subsystems
Services
Security
<arbitrary> <arbitrary>

Possible reports using this naming convention:

  • SEG_Alert_Windows_Eventlog_15m_Failures
  • SEG_Report_iSeries_Jobs_12hr_Failed_Batch
  • NOC_Summary_Network_Security_24hr_Top_src_ip
Last modified on 23 May, 2017
Give knowledge objects of the same type unique names   Understand and use the Common Information Model Add-on

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters