Conducting data source review on Splunk Enterprise
This article offers a checklist of tasks to assist self-service customers in conducting data source review on Splunk Enterprise. This is one of many processes involved in Running a Splunk platform health check.
Objectives
- Review existing data onboarding procedures and index usage within the Splunk environment.
- Make recommendations about improved configurations per Splunk data onboarding best practices.
In-scope
- Review company data onboarding configurations and procedures and comparing to Splunk best practices
- Split data into individual events and multi-line merge settings
- Parse date/timestamps
- Truncate long events
- Advise on the benefits of proper data onboarding, using applications from Splunkbase, and adhering to the Splunk Common Information Model (CIM) where possible
Out-of-scope
Modifications to any Splunk configurations
Task-specific assumptions
- Current Splunk environment exists with no major changes planned while the health check is in progress
- A subject matter expert is available to provide deployment and sizing details around the current Splunk environment
- The person conducting this analysis has access to search the appropriate systems and data sources
Additional resources
Splunk Professional Services can assist with this or any other process involved in conducting a Splunk platform health check. Click here to learn more about working with Professional Services.