Building for the Splunk Platform

Is there a User/Developer "Rules for Good Splunking" Style Guide?

Path Finder

Would anybody care to share your Splunk "Developer/User Guide" or "Style Guide" or "Rules for Splunking" document?
I am looking for stuff that focuses on things that happen after the core infrastructure is deployed and after data is onboarded (there is much good documentation on how to do that stuff well).

I am looking for stuff like:

  • KO scoping guildelines (i.e. avoid "global" scope if at all possible)
  • Naming convention rules for KOs
  • Search Etiquette (e.g. Don't do "All Time", if you "outputcsv" make sure you clean it up, etc.)
  • How to schedule searches "nicely"
  • Plan your search artifact Time To Live (TTL), not just your data retention needs
  • If you use dynamic lookups, be sure to have a housekeeping search setup to prune it appropriately
  • Command Usage "Gotchas" (e.g. always do | sort 0 instead of | sort or you will lose events)

This is different from a Best Practices document but there is some overlap and I could mine from those documents, too.
I know about Aplura's and it has some stuff I will need but if you have or have seen something similar, to these, please share:

Splunk Employee
Splunk Employee

(So happy to see @Damien Dallimore !)

Self Serving answer: I would recommend the "Best Practices and Better Practices" breakout sessions at conf that I do. I think we cover all the topics you asked about. If you won't be at this years conf, you can still find recordings from last years online.

In my current role at Splunk, I'll be working to formalize those items and get them published in appropriate places (or in the product). So, it might take time but you'll soon see more in this domain!

Ultra Champion

Dev Guidance :

Many links via here pertaining to App Cert / Cloud Vetting that contain best practices for Knowledge Objects etc.. :

And , Carasso's book :

Splunk Employee
Splunk Employee

There's some overlap between the sort of information you're looking for here and the contents of the new Inherit a Splunk Enterprise Deployment manual. That manual is specifically designed to help admins who find themselves in command of a Splunk deployment that has been up and running for some time.

You might find the final topic in that manual of particular interest, as it includes some of the items in your list and covers other subjects that are similar to those items. It's called Investigate knowledge object problems. It includes:

  • Knowledge object naming conflicts
  • Object permissions
  • Object interdependency considerations
  • Finding and reassigning orphaned objects
  • Scheduled searches and search concurrency
  • Report and data model acceleration considerations
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...