What are knowledge objects?
Knowledge objects are tools you use to discover and analyze various aspects of your data
What are some examples of knowledge objects?
- Data interpretation - fields and field extractions
- Data classification - events types
- Data enrichment - lookups and workflow actions
- Normalization - tags and field aliases
- Datasets - data models
- Shareable - can be shared between users
- Reusable - persistent objects that can be used by multiple people or apps, such as macros and reports
- Searchable - since the objects are persistent, they can be used in a search
What is a knowledge manager?
A knowledge manager oversees knowledge object creation and usage for a group or deployment.
It also normalizes event data and creates data models for Pivot users
When it comes to the naming convention, what is Splunk’s recommend way of naming your production environment?
- Group - corresponds to the working group(s) of the user saving the object
(examples: SEG. NEG. OPS. NOC) - Object Type: Indicates the type of object
(alert, report, summary-index-populating)
(examples: Alert, Report, Summary) - Description - a meaningful description of the context and intent of the search, limited to one or two words if possible; ensures the search name is unique
Full example: SEG_Alert_WinEventlogFailures
When a knowledge object has private permissions what are the characteristics?
Only the person who created the object can use it and edit it.
- Create: user, power, admin
- Read: person who created it “Admin”
- Edit: person who created it “Admin”
When a knowledge object has the permission of “This app only” what are the characteristics?
Object persists in the context of a specific app
- Create: power, admin
- Read: user, power, admin
- Edit: user, power, admin
When a knowledge object has the permission of “All apps” what are the characteristics?
Objects persists globally
- Create: Admin
- Read: user, power, admin
- Edit: user, power, admin
How is the read and/or write permission given to a role?
These permissions are given by the creator
When an object is created, what is the default set to?
The display for is set to Owner by default
What happens when an object’s permissions are set to App or All apps?
All roles are given read permission
Who is the write permission saved for?
It is saved for the admin role and the object creator unless the creator edits permissions
What role is the only one that can promote an object to All apps?
The admin role
Where are knowledge objects centrally managed from?
Settings > Knowledge
What determines your ability to modify an object’s settings?
Your role and permissions
True or False: By default, objects for all owners are listed.
True
What is the methodology for normalizing data?
Common Information Model (CIM)
What are some of the things Common Information Model (CIM) is used for?
- Easily correlate data from different sources and source types
- Leverage to create various objects discussed in this course - field extractions, field aliases, event types, tags
What 6 naming segments does Splunk recommend that you use when naming your knowledge objects?
Group Type Platform Category Time Description example: security-focused workflow action OPS_WFA_Network_Security_na_IPwhoisAction
-
Beyond Basic Search - Mod 151
-
Commands for Visualizations Mod 344
-
Advanced Visualizations Mod 434
-
Filtering and Formatting Data Mod 537
-
Correlating Events Mod 630
-
Introduction to Knowledge Objects Mod 718
-
Creating and Managing Fields Mod 818
-
Creating Field Aliases and Calculated Fields Mod 915
-
Working with Tags and Event Types Mod 1019
-
Creating and Using Macros Mod 1116
-
Creating and Using Workflow Actions Mod 129
-
Creating Data Models Mod 1351
-
Using the Common Information Model (CIM) Add-On12
