splunk_knowledge_object

列一下目前知道的 splunk knowledge object

Splunk knowledge objects (SKOs)

  • Macros
    • A parameterized portion of a search such as an eval statement or a search term that can be reused in multiple places, including saved and ad hoc searches, and which is used in a manner similar to a search command. Search macros can contain arguments, but they are not required.
    • Macros are configured through the Advanced Configuration section of the GUI, or via the macros.conf file located within the App.
  • Event types
    • A type of knowledge object that enables you to categorize and label all the indexed events that match a specified search string. An event type has a name and an associated search.
    • Event types are configured through the Advanced Configuration section of the GUI, or via the eventtypes.conf file located within the App
  • Tags
    • A knowledge object that enables you to efficiently search for events that contain particular field values. You can assign one or more tags to any field/value combination, including event types, hosts, sources, and source types.
    • They offer a very granular approach to searching data; tags are created through the GUI, or are present within tags.conf.
  • Saved searches
    • A search a user has made available for later use. Searches can be saved as reports, alerts, or dashboard panels.
    • Saved searches can be created through the GUI, or by editing savedsearches.conf.
  • Dashboards
    • A type of view associated with an App. A dashboard contains one or more searches that display data in visualizations. Panels in the dashboard contain the visualizations.
    • Dashboards are critical to Apps, as they show all the data visualizations that are relevant to an App. Without dashboards, your App is an add-on. Dashboards have a specific place within the App
  • Lookups
    • A knowledge object that enables the addition of fields and related values to search results based on field matching with a CSV table or a Python script. For example, you can use a lookup to perform DNS or reverse DNS lookups on IP addresses or host names in your data.
    • Lookups help to enrich your indexed data with static data or state data
    • Lookups are in the lookups folder of the App, and are generally CSV files.
  • Configurations
    • A file (also referred to as a conf file) that contains Splunk configuration information. Splunk writes configuration settings into configuration files. Configuration files are stored in a number of directories, including $SPLUNK_HOME/etc/system/default (these are preconfigured and not to be edited), $SPLUNK_HOME/etc/system/local, and $SPLUNK_HOME/etc/apps/. You can configure Splunk settings and processes by editing configuration file stanzas.
    • Configuration files are the meat and potatoes of your application. They decide how all of your SKOs get defined, how fields are extracted, and more. Almost everything that needs to be done can be done within a configuration file.

Object permissions

  • Object permissions are an integral part of securing Apps and their knowledge objects
  • Splunk permissions are role-based, meaning that a user needs a specific role (either assigned by Splunk or via external authentication and authorization systems) to read or write the knowledge object.
  • Permissions are controlled within the default.meta and local.meta files in your metadata folder in the App
  • The configuration structure
    [<object_type>/<object_name>] access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]

Comments