The information in this article will help you discover methods for deploying and administering Splunk Enterprise. The best practices indexed here are gathered from Splunk customers, partners and employees.
This reference list highlights how customers can best manage configurations in Splunk Enterprise. Splunk Enterprise has about 50 configuration files that define and manage everything from alerts to workflow actions, including tags, custom time ranges, REST endpoints, indexing properties, and data inputs.
- Get familiar with the configuration files and when to restart Splunk Platform after a configuration file change for a direct .conf edit to apply.
- Find an especially important source type and resolve data quality issues to make sure it's set up for success.
- Use btool to troubleshoot configurations. A command line tool that can help you troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.
- Review at the timestamps in your data. Configure timestamp recognition to make sure Splunk Enterprise doesn't waste time trying to figure out the right date-time stamp to use
- Define and tune event breaks. You almost certainly have some multi-line events. Figuring out what's mutli-line can be taxing on the indexers. Set the segmentation for event data to optimize your source types with what you've learned about .conf files.
- Create a source type using .conf files.
Onboarding new users
This reference list highlights how customers can best start onboarding new users in Splunk Enterprise.
- Head on over to Splunk Education to find all the training you need.
- Make your role-based access control more granular by organizing user access requirements into functional categories, such as data access or search restrictions.
- Build user group workspaces for a specific role or user group to enable users to search, explore, and create without distractions from other teams and users.
- Set up knowledge management practices now to avoid costly misinterpretation of your data later. Get started with “What is Splunk knowledge?”
- Define a knowledge manager role. This person can create guidelines to manage knowledge objects, normalize event data, and create data models for Pivot users.
- Review your company's requirements. Identify who needs access to which data sets, if there are any that should be private, such as data with PII, and so on. You can add and edit roles with Splunk Enterprise based upon requirements.
- Map LDAP groups to Splunk roles. Splunk Enterprise users can work with the repository administrator to set up user authentication with LDAP and configure Single Sign-On with reverse proxy.
Using add-ons and apps
This reference list highlights how customers can best start using apps and add-ons in Splunk Enterprise. Apps are collections of knowledge objects that address specific use cases. You access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. Add-ons are a type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs.
- Listen to Splunk experts give a Tech Talk that explains how to navigate SplunkBase to find valuable apps.
- Deploy an add-on and an app from Splunkbase. Instructions for how to deploy and install the app come with it at download time, or you can refer to the general instructions on how to install Splunk add-ons.
- Contact Splunk Support if the app you want is not listed or if self-service app installation is not supported.
- Discover the knowledge objects in the apps you downloaded. Go to the dashboards tab to view the dashboard knowledge objects.
- Check out the Apps & Add-ons section in our community.