Knowledge Management

What are knowledge objects, and what do I need to know about them?

jmulcaster_splu
Splunk Employee
Splunk Employee

What are knowledge objects, what do they do, and what do I need to know about them?

0 Karma
1 Solution

jmulcaster_splu
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Knowledge objects are the way Splunk gives form to the chaos of raw data. They are how you can create a multi-dimensional data structure that enables you to infer meaning and actionable insights from a steady stream of raw data.

Note: This answer applies to Splunk Enterprise and Splunk Cloud

How knowledge objects help meaning emerge from your data

Knowledge objects are a diverse set of classifications and constructs that make up Splunk's data enrichment structure. They are how Splunk organizes meaning and stores it in a reusable form so you can share efforts and build upon the ideas of others. Fields, searches, and reports are all examples of knowledge objects.

Creating Reports in Splunk Enterprise

Managing the framework of meaning for the data in your environment is a powerful part of the Splunk platform known as knowledge management.

A collection of knowledge objects that address a specific use case is called an app. Knowledge objects that service other apps in some way are called add-ons. You can develop apps and add-ons for your own use, and you can also find apps and add-ons created by Splunk and other users on Splunkbase so you don't have to reinvent the wheel.

Splunk also offers full-scale solutions, which are apps and add-ons that address advanced use cases for whole business areas and industries: Splunk.com > Solutions.

  • Knowledge object: A user-defined block of logic that enables you to leverage your information in specific ways to infer meaning from your data. Knowledge objects are the units Splunk uses to interpret, classify, enrich, normalize, and model data. You can create, edit, save and share knowledge objects.
  • Splunk apps: A collection of knowledge objects that address specific use cases. Splunk apps run in Splunk Web, and you access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. They're not binary code like a cell phone app, so don't worry, you don't need to be a computer programmer.
  • Splunk add-ons: A type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs. An add-on is a reusable component that supports other apps across a number of different use cases. You can use Splunk add-ons or create your own to optimize how you collect data and give you a head start on building search use cases.

How to get started with knowledge objects

  • Deploy an add-on and an app from Splunkbase. Good add-ons to start with are Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Good examples of apps to try are the corresponding Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Instructions for how to deploy and install the app come with it at download time. Or refer to the general instructions on how to install Splunk add-ons.
  • Discover the knowledge objects in the apps you downloaded. In Splunk Web, find an app like the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Go to the dashboards tab to view the dashboard knowledge objects. Now find the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Notice the differences between the types of knowledge objects in the add-on vs. the app. For example, notice how the add-ons define source types and fields that are not in the app.
  • Clone knowledge objects from one app to another. Try out how easy it is to share knowledge objects among apps! Find a default dashboard of either the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Clone that to the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows.

View solution in original post

jmulcaster_splu
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Knowledge objects are the way Splunk gives form to the chaos of raw data. They are how you can create a multi-dimensional data structure that enables you to infer meaning and actionable insights from a steady stream of raw data.

Note: This answer applies to Splunk Enterprise and Splunk Cloud

How knowledge objects help meaning emerge from your data

Knowledge objects are a diverse set of classifications and constructs that make up Splunk's data enrichment structure. They are how Splunk organizes meaning and stores it in a reusable form so you can share efforts and build upon the ideas of others. Fields, searches, and reports are all examples of knowledge objects.

Creating Reports in Splunk Enterprise

Managing the framework of meaning for the data in your environment is a powerful part of the Splunk platform known as knowledge management.

A collection of knowledge objects that address a specific use case is called an app. Knowledge objects that service other apps in some way are called add-ons. You can develop apps and add-ons for your own use, and you can also find apps and add-ons created by Splunk and other users on Splunkbase so you don't have to reinvent the wheel.

Splunk also offers full-scale solutions, which are apps and add-ons that address advanced use cases for whole business areas and industries: Splunk.com > Solutions.

  • Knowledge object: A user-defined block of logic that enables you to leverage your information in specific ways to infer meaning from your data. Knowledge objects are the units Splunk uses to interpret, classify, enrich, normalize, and model data. You can create, edit, save and share knowledge objects.
  • Splunk apps: A collection of knowledge objects that address specific use cases. Splunk apps run in Splunk Web, and you access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. They're not binary code like a cell phone app, so don't worry, you don't need to be a computer programmer.
  • Splunk add-ons: A type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs. An add-on is a reusable component that supports other apps across a number of different use cases. You can use Splunk add-ons or create your own to optimize how you collect data and give you a head start on building search use cases.

How to get started with knowledge objects

  • Deploy an add-on and an app from Splunkbase. Good add-ons to start with are Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Good examples of apps to try are the corresponding Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Instructions for how to deploy and install the app come with it at download time. Or refer to the general instructions on how to install Splunk add-ons.
  • Discover the knowledge objects in the apps you downloaded. In Splunk Web, find an app like the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Go to the dashboards tab to view the dashboard knowledge objects. Now find the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Notice the differences between the types of knowledge objects in the add-on vs. the app. For example, notice how the add-ons define source types and fields that are not in the app.
  • Clone knowledge objects from one app to another. Try out how easy it is to share knowledge objects among apps! Find a default dashboard of either the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Clone that to the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows.

adukes_splunk
Splunk Employee
Splunk Employee

Added related video.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...