Module 6: Understanding Knowledge Objects

Question 1

What are knowledge objects?

Answer 1

Knowledge objects are tools you use to discover and analyze various aspects of your data

Page 155 Mod 6

Question 2

What are some examples of knowledge objects?

Answer 2

• Data interpretation - fields and field extractions
• Data classification - events types
• Data enrichment - lookups and workflow actions
• Normalization - tags and field aliases
• Datasets - data models
• Shareable - can be shared between users
• Reusable - persistent objects that can be used by multiple people or apps, such as macros and reports
• Searchable - since the objects are persistent, they can be used in a search

Page 155 Mod 6

Question 3

What is a knowledge manager?

Answer 3

A knowledge manager oversees knowledge object creation and usage for a group or deployment.
It also normalizes event data and creates data models for Pivot users

Page 157 Mod 6

Question 4

When it comes to the naming convention, what is Splunk’s recommend way of naming your production environment?

Answer 4

• Group - corresponds to the working group(s) of the user saving the object
  (examples: SEG. NEG. OPS. NOC)
• Object Type: Indicates the type of object
  (alert, report, summary-index-populating)
  (examples: Alert, Report, Summary)
• Description - a meaningful description of the context and intent of the search, limited to one or two words if possible; ensures the search name is unique
  Full example: SEG_Alert_WinEventlogFailures

Page 158 Mod 6

Question 5

When a knowledge object has private permissions what are the characteristics?

Answer 5

Only the person who created the object can use it and edit it.

• Create: user, power, admin
• Read: person who created it “Admin”
• Edit: person who created it “Admin”

Question 6

When a knowledge object has the permission of “This app only” what are the characteristics?

Answer 6

Object persists in the context of a specific app

• Create: power, admin
• Read: user, power, admin
• Edit: user, power, admin

Page 159 Mod 6

Question 7

When a knowledge object has the permission of “All apps” what are the characteristics?

Answer 7

Objects persists globally

• Create: Admin
• Read: user, power, admin
• Edit: user, power, admin

Page 159 Mod 6

Question 8

How is the read and/or write permission given to a role?

Answer 8

These permissions are given by the creator

Page 159 Mod 6

Question 9

When an object is created, what is the default set to?

Answer 9

The display for is set to Owner by default

Page 160 Mod 6

Question 10

What happens when an object’s permissions are set to App or All apps?

Answer 10

All roles are given read permission

Page 160 Mod 6

Question 11

Who is the write permission saved for?

Answer 11

It is saved for the admin role and the object creator unless the creator edits permissions

Page 160 Mod 6

Question 12

What role is the only one that can promote an object to All apps?

Answer 12

The admin role

Page 160 Mod 6

Question 13

Where are knowledge objects centrally managed from?

Answer 13

Settings > Knowledge

Page 161 Mod 6

Question 14

What determines your ability to modify an object’s settings?

Answer 14

Your role and permissions

Page 161 Mod 6

Question 15

True or False: By default, objects for all owners are listed.

Answer 15

True

Page 161 Mod 6

Question 16

What is the methodology for normalizing data?

Answer 16

Common Information Model (CIM)

Page 162 Mod 6

Question 17

What are some of the things Common Information Model (CIM) is used for?

Answer 17

• Easily correlate data from different sources and source types
• Leverage to create various objects discussed in this course - field extractions, field aliases, event types, tags

Page 162 Mod 6