Knowledge Management

Knowledge base within splunk

mrpaul
Explorer

We are using Splunk as a security information & event management system. As we review logs or sets of logs, we need to make notes or annotations, to indicate to ourselves and others what we have found, actions we have taken, etc. I am curious how others are doing this, and if there is a good way to do this within Splunk itself? Essentially, this would be using Splunk as a knowledge base.

For example, I could imagine reviewing some traffic on port 8090 on ip 10.1.1.2, and quickly checking to see if we have any notes on this by running a query against a knowledgebase for port=8090 ip=10.1.1.2. And, then, adding notes to it by entering some data in a web form that simply saves the info off into splunk. Another use case I could envision is looking at a log entry, and being able to click on the arrow on the left and have "annotate" as an option, and being able to annotate that log entry. You wouldn't modify the log entry itself (that would be bad), but the knowledgebase would be able to correlate your annotation to the original log entry.

Thanks in advance!

Mr. Paul

Tags (2)

jcoates_splunk
Splunk Employee
Splunk Employee

hi,

yes, this is an interesting use case, it's one of the features of the commercial Splunk App for Enterprise Security. A couple of links:

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...