Knowledge Objects, Tagging, Technical Add-ons… Oh My!

The power of Splunk is driven by the user. At its core, Splunk is a set of user-defined searches, fields, reports, etc. All of these defined components of Splunk, the functions that really enrich your data, are knowledge objects. Basically, if you’re using Splunk, you’re using a knowledge object. With those knowledge objects, you can utilize tags and technical add-ons to clean up and maintain your data.

 

The Knowledge Object Basics

A knowledge object could be a piece of the search or a piece of the data they’re ingesting, or just a group of data. A Splunk App is simply a collection of knowledge objects. When defining your knowledge, ask yourself and your teams, “What do I want Splunk to show me?”

To better identify your data, utilize your field extraction to pull from the data coming in. Let’s use the example of the identifier, “transaction ID.” You want to see all information relevant to the transaction ID extracted. To start, you create a field extraction around the knowledge object, transaction ID, and now you can search for that specific set of information.

Knowledge objects exist in the deployment, indexers, search heads, saved searches, and any other user-defined data with your Splunk instance. You can reference a knowledge object any time you’re trying to isolate down your data to a refinement point.

 

Tag, You’re It!

To make your knowledge objects stick, using the tagging function. In most cases, you want to give your data an identifiable name. Tags can help you centralize the naming conventions behind your data and knowledge objects.

We’ll stick with the example of transaction ID, used above. In this scenario, you have multiple streams of data coming in. This transaction ID comes in through the firewall, hits your web server, goes into your database, and then transfers back through. If you have a transaction ID throughout that stream, you can tag each knowledge object at each index point. Because your firewall is the one sending data in, you’ll want to tag your transaction ID within that point. On your web server, you can tag that knowledge object with the same transaction ID. The same goes for your database. Now, when you search on that transaction ID, Splunk will pull up that transaction ID for all of those data inputs.

To maintain a common naming convention, tag your data early on.

 

Figure 1 - Sample tagging in Splunk
Figure 1 – Sample tagging in Splunk

Technical Add-ons

Finally, let’s throw in technical add-ons and how they work in tagging to knowledge objects. When you have a known data type coming in, you can implement a technical add-on. This add-on will take the data, ingest it, and apply known rules to it.

We can look at firewalls as an example. If you have a known firewall bender, you can apply the technical add-on for the known firewall bender. By adding a technical add-on, your data is now CIM compliant. The technical add-ons take the data coming in from the firewall, tag it, and perform a field alias.

The technical add-ons use event data and group the data sets by common terms instead of the vendor term. How is this helpful? The ability to search by common terms allows for easier communication flow across teams. Common terminology, via the Common Information Model (CIM), helps with communication across vendors and teams.

 

We Can Help

Kinney Group has the ability to automate this flow for our customers and support it with Expertise on Demand. We have the best practice knowledge to make your data stick, seamlessly. We know some of these tips may not fall as first priority on the long list of Splunk fixes for your team, that’s where we can jump in. Take your time to resolution down to the minute and utilize a support service like EOD. Fill out the form below to chat with one of our expert Splunkers.

Quick Tips for Transforming Your Searches in Splunk

Take a moment ask yourself — how efficient are your searches in Splunk?

One of the biggest advantages of Splunk is the speed of which you get your information back. It’s important to maximize that speed so you, your team, and your company get results faster. Now you’re thinking, “Sure, that’d be great. But I don’t have time to be constantly tweaking my searches.” Thankfully, these tips can help. You can find that quick tune-up on speed just by re-ordering your searches.

Transform your Searches

In SPL, there are numerous search commands you can use to tune-up your Splunk searches. Let’s walk through different types of commands, how they make your Splunk environment more efficient, speed up productivity, and get results faster.

In Splunk, there are different commands types like distributed streaming searches, centralized streaming searches, transforming generating, orchestrating and data set processing. Depending on the order of these command types, you can offload some of the searches into the indexer.

Let’s take a look at an example that demonstrates how the command order can really make a difference:

The No-Good Scenario

Take a streaming command, followed by a non-streaming command, followed by another streaming command. With this lineup, the process flows like this — your data travels from your search heard, down to your indexer, and says, “Hey indexer, I want to know about this stuff.” Your indexer goes “Okay, here’s all your stuff.” Now, the search head dumps all of that “stuff” on the third command, which now has to do all of that work.

The Good Scenario

Take a streaming command, followed by a streaming command, followed by a non-streaming command. In this scenario, you’ve lined up your streaming commands. You can stream data down to the indexer, search for the data you need. Then, use that second streaming command to apply those additional filters, clean up the data, and THEN feed the data back up to the search head. With these small adjustments, you’ve made your data streaming process faster and decreased the network load going back and forth. Now, you have cleaner and more efficient results.

Identify Search Performance

Now that we’ve covered how you can speed up your searches, let’s dig into finding those searches you want to tune-up. Short answer: your job inspector. While any of your current searches are running, you can head into the job inspector and monitor the performance of this search. See below for what to look for in your Splunk job inspector.

 

Figure 1 - Slow search performance
Figure 1 – Slow search performance

 

Figure 2 - Fast search performance
Figure 2 – Fast search performance

 

From these suggestions, here are two key benefits you can take away from optimizing your Splunk transforming commands:

  1. Quicker speed of the search. This alleviates some of the human-hours that searches can take. Even just 30 seconds of saved search time can add up over time.
  2. Make life easier for engineers. We know the role of a Splunk engineer is a demanding one. By optimizing your search commands, you can get results faster and move on to the next item on your very long list.

Make Optimization a Priority

Maybe you’d like to optimize your searches, but frankly, it’s not a top priority on that long list of to-do’s we mentioned earlier. That’s where Kinney Group can jump in and help. At Kinney Group, our Expertise on Demand Service offering does just that (and more). Our engineers have the ability to look through search efficiency, put things in the right order to really optimize your environment, and propose different commands to get different outputs based on best practice. You have the data. We can optimize that data and give you the full picture.