Developing for Splunk Enterprise

Is there a User/Developer "Rules for Good Splunking" Style Guide?

Path Finder

Would anybody care to share your Splunk "Developer/User Guide" or "Style Guide" or "Rules for Splunking" document?
I am looking for stuff that focuses on things that happen after the core infrastructure is deployed and after data is onboarded (there is much good documentation on how to do that stuff well).

I am looking for stuff like:

  • KO scoping guildelines (i.e. avoid "global" scope if at all possible)
  • Naming convention rules for KOs
  • Search Etiquette (e.g. Don't do "All Time", if you "outputcsv" make sure you clean it up, etc.)
  • How to schedule searches "nicely"
  • Plan your search artifact Time To Live (TTL), not just your data retention needs
  • If you use dynamic lookups, be sure to have a housekeeping search setup to prune it appropriately
  • Command Usage "Gotchas" (e.g. always do | sort 0 instead of | sort or you will lose events)

This is different from a Best Practices document but there is some overlap and I could mine from those documents, too.
I know about Aplura's and it has some stuff I will need but if you have or have seen something similar, to these, please share:
https://www.aplura.com/splunk-best-practices/
https://wiki.splunk.com/Things_I_wish_I_knew_then

Ultra Champion

(So happy to see @Damien Dallimore !)

Self Serving answer: I would recommend the "Best Practices and Better Practices" breakout sessions at conf that I do. I think we cover all the topics you asked about. If you won't be at this years conf, you can still find recordings from last years online.

In my current role at Splunk, I'll be working to formalize those items and get them published in appropriate places (or in the product). So, it might take time but you'll soon see more in this domain!

Ultra Champion

Dev Guidance : http://dev.splunk.com/view/dev-guide/SP-CAAAE2R

Many links via here pertaining to App Cert / Cloud Vetting that contain best practices for Knowledge Objects etc.. : http://dev.splunk.com/view/app-cert/SP-CAAAE2S

And , Carasso's book : https://www.splunk.com/goto/book

Splunk Employee
Splunk Employee

There's some overlap between the sort of information you're looking for here and the contents of the new Inherit a Splunk Enterprise Deployment manual. That manual is specifically designed to help admins who find themselves in command of a Splunk deployment that has been up and running for some time.

You might find the final topic in that manual of particular interest, as it includes some of the items in your list and covers other subjects that are similar to those items. It's called Investigate knowledge object problems. It includes:

  • Knowledge object naming conflicts
  • Object permissions
  • Object interdependency considerations
  • Finding and reassigning orphaned objects
  • Scheduled searches and search concurrency
  • Report and data model acceleration considerations
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!