Would anybody care to share your Splunk "Developer/User Guide" or "Style Guide" or "Rules for Splunking" document?
I am looking for stuff that focuses on things that happen after the core infrastructure is deployed and after data is onboarded (there is much good documentation on how to do that stuff well).
I am looking for stuff like:
| sort 0instead of
| sortor you will lose events)
This is different from a Best Practices document but there is some overlap and I could mine from those documents, too.
I know about Aplura's and it has some stuff I will need but if you have or have seen something similar, to these, please share:
(So happy to see @Damien Dallimore !)
Self Serving answer: I would recommend the "Best Practices and Better Practices" breakout sessions at conf that I do. I think we cover all the topics you asked about. If you won't be at this years conf, you can still find recordings from last years online.
In my current role at Splunk, I'll be working to formalize those items and get them published in appropriate places (or in the product). So, it might take time but you'll soon see more in this domain!
There's some overlap between the sort of information you're looking for here and the contents of the new Inherit a Splunk Enterprise Deployment manual. That manual is specifically designed to help admins who find themselves in command of a Splunk deployment that has been up and running for some time.
You might find the final topic in that manual of particular interest, as it includes some of the items in your list and covers other subjects that are similar to those items. It's called Investigate knowledge object problems. It includes: