Scribd
Upload
40 views4 pages

Creating Knowledge Objects

The document outlines the creation and normalization of knowledge objects in Splunk, emphasizing the importance of data models for interpreting and classifying indexed data from various sourcetypes. It details the process of setting up lookups, configuring external lookups, and developing naming conventions for knowledge objects. Additionally, it covers modules related to alert actions and accelerating data models within the Splunk environment.

Uploaded by

torameshbabu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
40 views4 pages

Creating Knowledge Objects

The document outlines the creation and normalization of knowledge objects in Splunk, emphasizing the importance of data models for interpreting and classifying indexed data from various sourcetypes. It details the process of setting up lookups, configuring external lookups, and developing naming conventions for knowledge objects. Additionally, it covers modules related to alert actions and accelerating data models within the Splunk environment.

Uploaded by

torameshbabu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Creating knowledge Objects

Data interpretation, classification, enrichment, Normalization and search Time mapping knowledge
called Data models.
Role : Oversee knowledge object creation and usage, Normalization data, create data models
Normalizing Indexed Data :
Splunk Inded :- Indexed data comes from multiple sourcetypes, Same type of data can occur as different
filed Names.
For ex : sourecetype=access_combines field: “User”
Sourcetype=history_access field : “UserName”
This needs to normalize both data and common structure – User to correlate events from both source
types

Splunk enterprise security and splunk IT service intelligence rely heavily on CIM
CIM - > splunkbase.splunk.com

MODULE 1 -
Using Splunk Course
Searching and Reporting with Splunk Course
Splunk Common Information Model

Permissions: Private, specific to app, all apps

TIAA PUBLIC
Lookups
Two steps to set LookUps : 1. Define lookup Table 2. Define the look up optionally configure your lookup
to run automatically.

Additional Lookup options:


Populate lookup table with search results, Define lookup based on external script or command. Use splunk db
connect application. Populate events with KV Store fields.
MODULE 2 -
Configure External Lookups
Configure KV Store Lookups

Field alias are default Private.

Calculated fields must be based on an extracted field.


Output fields from a lookup table or fields generated from within a search string are not supported.

The Field Extractor : allows you to use a graphical user interface


to extract fields that persists as knowledge objects making them reusable in searches

TIAA PUBLIC
Tags : allow you to designate descriptive names for key-value pairs

MODULE 6 -
Develop Naming Conventions for Knowledge Objects

MODULE 7 -
Setup Alert Actions
Configure a Script for an Alert Action
Alert Actions in Splunkbase
Custom Alert Actions Overview

Macro

TIAA PUBLIC
MODULE 9 -
Accelerate Data Models

TIAA PUBLIC

You might also like