Scribd
Upload
53 views16 pages

Searching Knowledge Objects in Splunk

Splunk Knowledge Objects enhance data by allowing users to create and manage various elements such as saved searches, field extractions, tags, event types, lookups, and data models. These objects facilitate better data organization and retrieval, enabling users to streamline their search processes. Key components include saved searches defined in 'savedsearches.conf', field extractions in 'props.conf', and the use of lookups to add custom fields from external sources.

Uploaded by

yo al
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views16 pages

Searching Knowledge Objects in Splunk

Splunk Knowledge Objects enhance data by allowing users to create and manage various elements such as saved searches, field extractions, tags, event types, lookups, and data models. These objects facilitate better data organization and retrieval, enabling users to streamline their search processes. Key components include saved searches defined in 'savedsearches.conf', field extractions in 'props.conf', and the use of lookups to add custom fields from external sources.

Uploaded by

yo al
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Splunk Knowledge Objects>

• Knowledge Objects add knowledge to and enrich your


data
• User or app created
• Include
• Saved searches, field extractions, tags, event types, lookups, reports,
alerts, data-models, and more

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Saved Searches
• Can be saved as reports, alerts, dashboard panels, or
event types
• Defined in [Link]

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Field Extractions
• Fields can be extracted using the field extraction editor
• Regex or Delimiter
• Defined in [Link]

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Tags
• Allow you to assign names to specific field and value combinations
• Example: you might have a server named
[Link]

[Link]

© Adam Frisbee, [Link], image from Open Clipart


Splunk Knowledge Objects>
Tags
• You know that this server is the mail server for the eastern UK
region and it resides in building 1433
• Splunk and other users do not know that

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Tags
• Create a tag!

• Tag=Mail-East-UK

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Event Types
• A named saved search
• A “tag +”
• Suppose you have a search that your organization runs
frequently, perhaps even with small additions

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Event Types
• Instead of typing that in every time, just create an
event type!

• Eventtype=EastUSErrors

• You can even include tags!

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Lookups
• Add custom fields to events from external sources, like
csv files
[Link]
Region Code Region Name
1012 West US
Not user friendly 2443 East US User friendly
3839 West UK
4443 East UK

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Lookups 2
1
3

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Lookups

| lookup <lookup-table-name> <lookup-field1>


AS <event-field1>
| lookup [Link] “Region Code” AS
regcode

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Data Models

• Hierarchically structured data set that includes


• Events
• Searches
• Transactions

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Data Models
• Event objects contain
• Constraints
• A search string broken down into a hierarchy
• host=router1
• sourcetype=csv
• Attributes
• Fields and properties associated with the event
• evals, lookups, extracted fields

© Adam Frisbee, [Link]


Splunk Knowledge Objects>
Data Models
• Power the Splunk Pivot tool
• To get to the Pivot tool
• Through the datasets page
• Through the data model page in settings
• Through the search results page, visualization tab

© Adam Frisbee, [Link]


Demo: Knowledge Objects
© Adam Frisbee, [Link], image credit: Jack Moreh/Freerange Stock
Thanks, Splunkers!

You might also like