Course Content
This three-hour course is for knowledge managers who want to learn how to create knowledge objects for their search environment using the Splunk web interface. Topics will cover types of knowledge objects, the search-time operation sequence, and the processes for creating event types, workflow actions, tags, aliases, search macros, and calculated fields.
Who should attend
Knowledge Managers
Certifications
This course is part of the following Certifications:
Prerequisites
To be successful, students should have a solid understanding of the following:
- How Splunk works
- Knowledge objects
Course Objectives
- Knowledge Objects and Search-time Operations
- Creating Event Types
- Using Event Type Builder
- Creating Workflow Actions
- Creating Tags and Aliases
- Creating Search Macros
Outline: Creating Knowledge Objects (CKO)
Module 1 – Knowledge Objects & Search-time Operations
- Understand role of knowledge objects for enriching data
- Define search-time operation sequence
Module 2 – Create Event Types
- Define event types
- Create event types using three methods
- Use event types
- Find event types
- Tag event types
- Compare event types and reports
Module 3 – Create Workflow Actions
- Administer Splunk user roles
- Integrate Splunk with LDAP, Active Directory, or SAML
Module 4 – Create Tags and Aliases
- Describe field aliases
- Create field aliases
- Search with field aliases
- Define tags
- Create and view tags
- Search with tags
- Manage tags
Module 5 – Create Search Macros
- Define macros
- Create macros with and without arguments
- Validate macro arguments
- Use and preview macros at search time
- Use nested macros
- Use macros with other knowledge objects
- Use tags/event types with macros
- Create macros: considerations
Module 6 – Create Calculated Fields
- Explain calculated fields
- Create a calculated field
- Use a calculated field