Skip to main content
Splunk Lantern

Managing your Splunk Enterprise deployment


The information in this article will help you discover methods for deploying and administering Splunk Enterprise. The best practices indexed here are gathered from Splunk customers, partners and employees.

Managing configurations

This reference list highlights how customers can best manage configurations in Splunk Enterprise. Splunk Enterprise has about 50 configuration files that define and manage everything from alerts to workflow actions, including tags, custom time ranges, REST endpoints, indexing properties, and data inputs. 

  • Get familiar with the configuration files and when to restart Splunk Platform after a configuration file change for a direct .conf edit to apply.
  • Find an especially important source type and resolve data quality issues to make sure it's set up for success.
  • Use btool to troubleshoot configurations. A command line tool that can help you troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.
  • Review at the timestamps in your data. Configure timestamp recognition to make sure Splunk Enterprise doesn't waste time trying to figure out the right date-time stamp to use
  • Define and tune event breaks. You almost certainly have some multi-line events. Figuring out what's mutli-line can be taxing on the indexers. Set the segmentation for event data to optimize your source types with what you've learned about .conf files.
  • Create a source type using .conf files. 

Onboarding new users

This reference list highlights how customers can best start onboarding new users in Splunk Enterprise.

Using add-ons and apps

This reference list highlights how customers can best start using apps and add-ons in Splunk Enterprise. Apps are collections of knowledge objects that address specific use cases. You access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. Add-ons are a type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs.

  • Listen to Splunk experts give a Tech Talk that explains how to navigate SplunkBase to find valuable apps.
  • Deploy an add-on and an app from Splunkbase. Instructions for how to deploy and install the app come with it at download time, or you can refer to the general instructions on how to install Splunk add-ons.
  • Contact Splunk Support if the app you want is not listed or if self-service app installation is not supported.
  • Discover the knowledge objects in the apps you downloaded. Go to the dashboards tab to view the dashboard knowledge objects. 
  • Check out the Apps & Add-ons section in our community.