icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Data Curator
SHA256 checksum (data-curator_13.zip) f40a2f9ed01f82ffd2033342e1c0ccd2335e6733ec76c57832ad80cec30ab9a9 SHA256 checksum (data-curator_12.tgz) 314e138c9a733fef8c1c0fee2f94f85403aebe03771fc52c2f4437826ed13bf6 SHA256 checksum (data-curator_11.tgz) 86c3105282fd1f28ee6b96bcd52236d44b769cb15e3ed2a844abf32854b8641d SHA256 checksum (data-curator_10.tgz) 39b4a743d6c5bae525920726c1bc41e2e9da8db8d8cc757e8cc71e6ca7c420f3
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Data Curator

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Data Curator is designed to help the Splunk admin assess the maturity of their Splunk deployment.

* Generates maturity scores for your props.conf settings related to data import
* Generates field extraction scores for the data you are ingesting
* Identify data that is mis-sourcetyped relative to the rest of your data
* Provides a number of views to issues related to timestamp extraction, line breaking, line truncation, and timezone settings with interactive dashboards that assist in troubleshooting efforts.

NOTE for 6.2(+) - Version 1.3 addresses the issue but otherwise you need to adjust a couple macros based on changes Splunk has made. Specifically props_config_lookup, props_score_raw, & stitch_props_trans. The section is the following eval

| eval sourcetype = if(isnull(sourcetype), title, sourcetype)

should be changed to something like this - previous Splunk 6x versions could probably work with just the len statement but left isnull in just in case

| eval sourcetype = if(isnull(sourcetype) OR len(sourcetype)<1, title, sourcetype)

Whereas apps like Splunk on Splunk are designed to help the Splunk admin understand what is happening with their deployment at an engine level, this app is designed to help the Splunk admin understand and assess the maturity of their deployment at a data level.

Splunk 6.x is required due to frequently used internal REST searches, use of the foreach command, and the changes to simple xml.

No new indices are created though there are 3 scheduled searches which ship enabled. Once the app is installed it might take a few hours before a few of the panels will show data. As everyone's environment is different from both a data and hardware perspective there are 2 dashboards under Knowledge Management to help you assess the coverage these searches provide relative to search frequency and length. You may find the searches need to be tweaked.

The props and field extraction score methodologies are documented in the app. At a high level there are 7 props settings that should be assigned to each sourcetype to help Splunk onboard your data - this app looks for their presence. On the field extraction side a comparison is made between the combined byte length of fields to the byte length of _raw. This is admittedly not a perfect science; however, it allows you to make a high level judgment on how much field definition is taking place on a sourcetype by sourcetype basis.

Release Notes

Version 1.3
April 20, 2015

Adjusted several rest queries to account for a 6.2 Splunk change to "null" values in fields (note documentation)
Added a Sourcetyping section in Data Management (pretty cool stuff here)
Moved away from the metrics logs in several dashboards as elements just aren't accurate for anything but smaller environments. These dashboards now use the summary data created by the app. This means if you are a new user there are some dashboards that won't populate until the queries have run at least once.
Tried to upload a tarball but Splunk had trouble extracting it for some reason so I extracted it on my Mac and compressed from there as a zip /shrug

Version 1.2
Nov. 3, 2014

* Fixed a couple spelling and space issues
* Changed a couple hard coded searches to use the summary index macro
* Removed the stash sourcetype (default sourcetype for data created within Splunk i.e. summary searches) from the props score and Sourcetype Score List dashboard.
* Took the data taxonomy csv out of the app so that if you've made changes it won't be over written. There is now a seed csv so that if this is the first time you are using the app you can run a query to move the data into the correct csv.

Version 1.1
Sept. 2, 2014

* Fixed issue with build sourcetype_field.csv query
* Updated issue description case statement for field tokens not defined in associated regex
* Added dashboard leveraging timestartpos and timeendpos fields in relation to defining TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD

Version 1.0
Aug. 23, 2014

136
Installs
1,120
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.