Splunk 简明教程
Splunk - Knowledge Management
Splunk 知识管理是关于维护 Splunk Enterprise 实现的知识对象。
Splunk knowledge management is about maintenance of knowledge objects for a Splunk Enterprise implementation.
下面是 main features of knowledge management −
Below are the main features of knowledge management −
-
Ensure that knowledge objects are being shared and used by the right groups of people in the organization.
-
Normalize event data by implementing knowledge object naming conventions and retiring duplicate or obsolete objects.
-
Oversee strategies for improved search and pivot performance (report acceleration, data model acceleration, summary indexing, batch mode search).
-
Build data models for Pivot users.
Knowledge Object
它是一个 Splunk 对象,用于获取有关您数据的特定信息。在创建知识对象时,您可以将其保留为私有,也可以与其他用户共享。知识对象的示例有:已保存的搜索、标记、字段提取、查找等。
It is a Splunk object to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users. The examples of knowledge object are: saved searches, tags, field extractions, lookups, etc.
Uses of Knowledge Objects
在使用 Splunk 软件时,将会创建和保存知识对象。但是,它们可能包含重复信息,或者所有预定受众都无法有效地使用它们。为了解决此类问题,我们需要管理这些对象。通过正确分类它们,然后使用适当的权限管理对其进行处理来实现此目的。以下是各种知识对象的使用和分类 −
On using the Splunk software, the knowledge objects are created and saved. But they may contain duplicate information, or they may not be used effectively by all the intended audience. To address such issues, we need to manage these objects. This is done by classifying them properly and then using proper permission management to handle them. Below are the uses and classification of various knowledge objects −
Fields and field extractions
字段和字段提取是 Splunk 软件知识的第一层。从 Splunk 软件中从 IT 数据自动提取的字段有助于为原始数据赋予意义。手动提取的字段会扩展并改进这一层含义。
Fields and field extractions is the first layer of Splunk software knowledge. The fields automatically extracted from the Splunk software from the IT data help bring meaning to the raw data. The manually extracted fields expand and improve upon this layer of meaning.
Event types and transactions
使用事件类型和事务对相似的事件分组。事件类型对通过搜索发现的事件组进行分组。事务是跨越时间的概念相关事件集合。
Use event types and transactions to group together interesting sets of similar events. Event types group together sets of events discovered through searches. Transactions are collections of conceptually-related events that span time.
Lookups and workflow actions
查找和工作流操作是知识对象类别,它们以各种方式扩展了数据的作用。字段查找使你能够从外部数据源(例如静态表 (CSV 文件) 或基于 Python 的命令)向数据添加字段。工作流操作使数据中的字段与其他应用程序或 Web 资源(例如对包含 IP 地址的字段进行 WHOIS 查找)之间的交互成为可能。
Lookups and workflow actions are categories of knowledge objects that extend the usefulness of your data in various ways. Field lookups enable you to add fields to your data from external data sources such as static tables (CSV files) or Python-based commands. Workflow actions enable interactions between fields in your data and other applications or web resources, such as a WHOIS lookup on a field containing an IP address.
Tags and aliases
标记和别名用于管理和规范字段信息集。你可以使用标记和别名将相关字段值集分组,并为提取的字段标记提供反映其标识符不同方面的标记。例如,你可以通过向每个主机提供相同的标记,将来自特定位置(例如建筑或城市)的一组主机的事件分组。
Tags and aliases are used to manage and normalize sets of field information. You can use tags and aliases to group sets of related field values together, and to give extracted field tags that reflect different aspects of their identity. For example, you can group events from set of hosts in a particular location (such as a building or city) together by giving the same tag to each host.
如果你有两个不同的来源使用不同的字段名称来指代相同的数据,那么你可以使用别名(例如将 clientip 别名为 ipaddress)来规范数据。
If you have two different sources using different field names to refer to same data, then you can normalize your data by using aliases (by aliasing clientip to ipaddress, for example).
Data models
数据模型是一个或多个数据集的表示形式,并且它们驱动了统计透视工具,使统计透视工具用户能够快速生成有用的表格、复杂的可视化效果和强大的报表,而无需与 Splunk 软件搜索语言进行交互。数据模型由完全了解其索引数据的格式和语义的知识管理员设计。典型的知识模型使用其他知识对象类型。
Data models are representations of one or more datasets, and they drive the Pivot tool, enabling Pivot users to quickly generate useful tables, complex visualizations, and robust reports without needing to interact with the Splunk software search language. Data models are designed by knowledge managers who fully understand the format and semantics of their indexed data. A typical data model makes use of other knowledge object types.
我们会在随后的章节中讨论其中一些知识对象的示例。
We will discuss some of the examples of these knowledge objects in the subsequent chapters.