Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Give knowledge objects of the same type unique names

When you create knowledge objects that are processed at search time, it is best if all knowledge objects of a single type have unique names. This helps you avoid name collision issues that can prevent your configurations from being applied at search time.

For example, to avoid name collision problems, you should not have two inline field extraction configurations that have the same <class> value in your Splunk implementation. However, you can have an inline field extraction, a transform field extraction, and a lookup that share the same name, because they belong to different knowledge object types.

You can avoid these problems with knowledge object naming conventions. See Develop naming conventions for knowledge objects.

Configurations sharing a host, source, or source type

When two or more configurations of a particular knowledge object type share the same props.conf stanza, they share the host, source, or source type identified for the stanza. If each of these configurations has the same name, then the last configuration listed in the stanza overrides the others.

For example, say you have two lookup configurations named LOOKUP-table in a props.conf stanza that is associated with the sendmail source type:

[sendmail]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day
LOOKUP-table = location host OUTPUTNEW building AS location

In this case, the last LOOKUP-table configuration in that stanza overrides the one that precedes it. The Splunk software adds the location field to your matching events, but does not add the logs_per_day field to any of them.

When you name your lookup LOOKUP-table, you are saying this is the lookup that achieves some purpose or action described by "table." In this example, these lookups achieve different goals. One lookup determines something about logs per day, and the other lookup has something to do with location. Rename them.

[sendemail]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day
LOOKUP-location = location host OUTPUTNEW building AS location

Now you have two different configurations that do not collide.

Configurations belonging to different hosts, sources or source types

You can also run into name collision issues when the configurations involved do not share a specific host, source, or source type.

For example, if you have lookups with different hosts, sources, or source types that share the same name, you can end up with a situation where only one of them seems to work at any given time. If you know what you are doing you might set this up on purpose, but in most cases it is inconvenient.

Here are two lookup configurations named LOOKUP-splk_host. They are in separate props.conf stanzas.

[host::machine_name]
LOOKUP-splk_host = splk_global_lookup search_name OUTPUTNEW global_code

[sendmail]
LOOKUP-splk_host = splk_searcher_lookup search_name OUTPUTNEW search_code

Any events that overlap between these two lookups are only affected by one of them.

  • Events that match the host get the host lookup.
  • Events that match the source type get the source type lookup.
  • Events that match both get the host lookup.

For more information about this, see Configuration file precedence in the Admin Manual

Configurations belonging to different apps

When you have configurations that belong to the same knowledge object type and share the same name, but belong to different apps, you can also run into naming collisions. In this case, the configurations are applied in reverse lexicographical order of the app directories.

For example, say you have two field alias configurations.

The first configuration is inetc/apps/splk_global_lookup_host/local/props.conf:

[host::*]
FIELDALIAS-sshd = sshd1_code AS global_sshd1_code

The second configuration is in etc/apps/splk_searcher_lookup_host/local/props.conf:

[host::*]
FIELDALIAS-sshd = sshd1_code AS search_sshd1_code

In this case, the search_sshd1_code alias would be applied to events that match both configurations, because the app directory splk_searcher_lookup_host comes up first in the reverse lexicographical order. To avoid this, you might change the name of the first field alias configuration to FIELDALIAS-global_sshd.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.
Last modified on 03 October, 2019
The sequence of search-time operations   Develop naming conventions for knowledge objects

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters