Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Prerequisites for knowledge management

Most knowledge management tasks are centered around search time event manipulation. In other words, a typical knowledge manager usually doesn't focus their attention on work that takes place before events are indexed, such as setting up data inputs, adjusting event processing activities, correcting default field extraction issues, creating and maintaining indexes, setting up forwarding and receiving, and so on.

However, we do recommend that all knowledge managers have a good understanding of these concepts. A solid grounding in these subjects enables knowledge managers to better plan out their approach towards management of knowledge objects for their deployment...and it helps them troubleshoot issues that will inevitably come up over time.

Here are some topics that knowledge managers should be familiar with, with links to get you started:

  • Inherit a Splunk Enterprise deployment: If you have inherited a Splunk Enterprise deployment, you can find more information on your deployment's network characteristics, data sources, user population, and knowledge objects in the Introduction in the Inherited Deployment manual.
  • Indexing incoming data: What is an index and how does it work? What is the difference between "index time" and "search time" and why is this distinction significant? Start with About indexes and indexers in the Managing Indexers and Clusters manual and read the rest of the chapter. Pay special attention to Index time vs search time.
  • Getting event data into your Splunk deployment: It's important to have at least a baseline understanding of Splunk data inputs. Check out What Splunk can index and read the other topics in the Getting Data In manual as necessary.
  • Understand your forwarding and receiving setup: If your Splunk deployment utilizes forwarders and receivers, it's a good idea to get a handle on how they've been implemented, as this can affect your knowledge management strategy. Get an overview of the subject at About forwarding and receiving in the Forwarding Data manual.
  • Understand event processing: It's a good idea to get a good grounding in the steps that Splunk software goes through to "parse" data before it indexes it. This knowledge can help you troubleshoot problems with your event data and recognize "index time" event processing issues. Start with Overview of event processing in the Getting Data In manual and read the entire chapter.
  • Default field extraction: Most field extraction takes place at search time, with the exception of certain default fields, which get extracted at index-time. As a knowledge manager, most of the time you'll concern yourself with search-time field extraction, but it's a good idea to know how default field extraction can be managed when it's absolutely necessary to do so. This can help you troubleshoot issues with the host, source, and sourcetype fields that Splunk software applies to each event. Start with About default fields in the Getting Data In manual.
  • Managing users and roles: Knowledge managers typically do not directly set up users and roles. However, it's a good idea to understand how they're set up within your deployment, as this directly affects your efforts to share and promote knowledge objects between groups of users. For more information, start with About users and roles in the Admin manual, and read the rest of the chapter as necessary.
Last modified on 24 August, 2018
Why manage Splunk knowledge?   Manage knowledge objects through Settings pages

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters