Knowledge objects are the way Splunk gives form to the chaos of raw data. They are how you can create a multi-dimensional data structure that enables you to infer meaning and actionable insights from a steady stream of raw data.
Note: This article applies to Splunk Enterprise and Splunk Cloud.
How knowledge objects help meaning emerge from your data
Knowledge objects are a diverse set of classifications and constructs that make up Splunk's data enrichment structure. They are how Splunk organizes meaning and stores it in a reusable form so you can share efforts and build upon the ideas of others. Fields, searches, and reports are all examples of knowledge objects. Click here for a video that describes how to create reports.
Managing the framework of meaning for the data in your environment is a powerful part of the Splunk platform known as knowledge management.
A collection of knowledge objects that address a specific use case is called an app. Knowledge objects that service other apps in some way are called add-ons. You can develop apps and add-ons for your own use, and you can also find apps and add-ons created by Splunk and other users on Splunkbase so you don't have to reinvent the wheel.
Splunk also offers full-scale solutions, which are apps and add-ons that address advanced use cases for whole business areas and industries: Splunk.com Solutions.
Knowledge object: A user-defined block of logic that enables you to leverage your information in specific ways to infer meaning from your data. Knowledge objects are the units Splunk uses to interpret, classify, enrich, normalize, and model data. You can create, edit, save and share knowledge objects.
Splunk apps: A collection of knowledge objects that address specific use cases. Splunk apps run in Splunk Web, and you access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. They're not binary code like a cell phone app, so don't worry, you don't need to be a computer programmer.
Splunk add-ons: A type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs. An add-on is a reusable component that supports other apps across a number of different use cases. You can use Splunk add-ons or create your own to optimize how you collect data and give you a head start on building search use cases.
How to get started with knowledge objects
Deploy an add-on and an app from Splunkbase. Good add-ons to start with are Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Good examples of apps to try are the corresponding Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Instructions for how to deploy and install the app come with it at download time. Or refer to the general instructions on how to install Splunk add-ons.
Discover the knowledge objects in the apps you downloaded. In Splunk Web, find an app like the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Go to the dashboards tab to view the dashboard knowledge objects. Now find the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows. Notice the differences between the types of knowledge objects in the add-on vs. the app. For example, notice how the add-ons define source types and fields that are not in the app.
Clone knowledge objects from one app to another. Try out how easy it is to share knowledge objects among apps! Find a default dashboard of either the Splunk App for Unix and Linux or the Splunk App for Windows Infrastructure. Clone that to the Splunk Add-On for Unix and Linux or the Splunk Add-On for Microsoft Windows.