Introduction to Knowledge Objects Mod 7

Question 1

What are knowledge objects?

Answer 1

Knowledge objects are tools you use to discover and analyze various aspects of your data

Question 2

What are some examples of knowledge objects?

Answer 2

• Data interpretation - fields and field extractions
• Data classification - events types
• Data enrichment - lookups and workflow actions
• Normalization - tags and field aliases
• Datasets - data models
• Shareable - can be shared between users
• Reusable - persistent objects that can be used by multiple people or apps, such as macros and reports
• Searchable - since the objects are persistent, they can be used in a search

Question 3

What is a knowledge manager?

Answer 3

A knowledge manager oversees knowledge object creation and usage for a group or deployment.
It also normalizes event data and creates data models for Pivot users

Question 4

When it comes to the naming convention, what is Splunk’s recommend way of naming your production environment?

Answer 4

• Group - corresponds to the working group(s) of the user saving the object
  (examples: SEG. NEG. OPS. NOC)
• Object Type: Indicates the type of object
  (alert, report, summary-index-populating)
  (examples: Alert, Report, Summary)
• Description - a meaningful description of the context and intent of the search, limited to one or two words if possible; ensures the search name is unique
  Full example: SEG_Alert_WinEventlogFailures

Question 5

When a knowledge object has private permissions what are the characteristics?

Answer 5

Only the person who created the object can use it and edit it.

• Create: user, power, admin
• Read: person who created it “Admin”
• Edit: person who created it “Admin”

Question 6

When a knowledge object has the permission of “This app only” what are the characteristics?

Answer 6

Object persists in the context of a specific app

• Create: power, admin
• Read: user, power, admin
• Edit: user, power, admin

Question 7

When a knowledge object has the permission of “All apps” what are the characteristics?

Answer 7

Objects persists globally

• Create: Admin
• Read: user, power, admin
• Edit: user, power, admin

Question 8

How is the read and/or write permission given to a role?

Answer 8

These permissions are given by the creator

Question 9

When an object is created, what is the default set to?

Answer 9

The display for is set to Owner by default

Question 10

What happens when an object’s permissions are set to App or All apps?

Answer 10

All roles are given read permission

Question 11

Who is the write permission saved for?

Answer 11

It is saved for the admin role and the object creator unless the creator edits permissions

Question 12

What role is the only one that can promote an object to All apps?

Answer 12

The admin role

Question 13

Where are knowledge objects centrally managed from?

Answer 13

Settings > Knowledge

Question 14

What determines your ability to modify an object’s settings?

Answer 14

Your role and permissions

Question 15

True or False: By default, objects for all owners are listed.

Answer 15

True

Question 16

What is the methodology for normalizing data?

Answer 16

Common Information Model (CIM)

Question 17

What are some of the things Common Information Model (CIM) is used for?

Answer 17

• Easily correlate data from different sources and source types
• Leverage to create various objects discussed in this course - field extractions, field aliases, event types, tags

Question 18

What 6 naming segments does Splunk recommend that you use when naming your knowledge objects?

Answer 18

Group
Type
Platform
Category
Time
Description
example: security-focused workflow action
OPS_WFA_Network_Security_na_IPwhoisAction