The intent of this app is to provide a simple interface for sharing knowledge in Splunk through editing a simple CSV file, the app can generate a set of standard dashboards and navigation.
Have you ever wanted a centralized location to direct users to so they can find what they need? Example: What special index do we store our firewall data? This app provides a simple interface for both administrators (to catalog data locations) and users (to find the data they need).
Depending on how Splunk is managed, finding data for a new (or even experienced) user can be challenging. The primary use-case of this app is for a Splunk adminstrator to be able to easily catalog (using a CSV file) where specific types of data (that an end user may have interest in) would be found on the given system and provide the end user an interface to quickly find this data (using Splunk’s built in menu system). Even though there exists the CIM, not all data is CIM compatible, nor is a user necessarily familiar with CIM. This can be especially helpful as new data types become available in Splunk that are not complying with CIM.
The app comes with an example CSV lookup file with sections, subsections and searches that should be universal. Using the built-in dashboard to add searches, an administrator can fill the catalog with the necessary content for the users. The CSV can also be edited directly or the app contains links to open the file in the Lookup File Editor app (https://splunkbase.splunk.com/app/1724/ requires 2.x), especially useful if searches need to be deleted. While it is not required, it is recommended to fill out the Notes section of each search so that both the generated dashboard will give some helpful context and a user may find the search based on keywords in the notes (using the search dashboard called “Not Sure Where to Look?"). The administrator should either copy the example CSV found in the samples directory to the lookups directory or use the add searches dashboard to create the file.
Once the lookup/CSV file has been populated with searches, the app has a custom command to generate menus and dashboards based on the searches given (“Generate Dashboards”). Each search is given it’s own dashboard with notes, events, and some basic info and statistics of it’s primary fields. There are also links to open the search up in the normal search window (in the regular Search app not the Search Catalog) from the dashboard as well as a time range picker.
Each generated dashboard includes a panel titled “Most Populated Fields”. If an admin wants to filter specific fields out of this (i.e. date_*) the most_populated_filter.csv file must be created and filled. Similar to the search_catalog.csv the app contains an example most_populated_filter.csv, and again the administrator should either copy the example CSV found in the samples directory to the lookups directory or use the add searches dashboard to create the file.
From the Welcome screen a user is introduced to the number of searches that exist in the search catalog along with an idea of how those searches are dispersed. The user is given instructions to browse through the Search Catalog’s menus, search or see what are the latest searches that have been added.
Minor update for Splunk Certification requirement and code formatting updates. Fix searching to not return folders.
Fixed Most Populated Fields panel to not max out on quantity of distinct values. Fixed naming scheme for dashboard to seperate correctly. Fixed "Not Sure Where to Look?" and "Most Recent Added Searches" dashboards as they were not creating correct links to dashboards anymore.
Minor fix to welcome screen. Added most_populated_filter to act as place to drop in fields to not include in the Most Populated Fields panel. Fixed opening result count. Update to dashboard filenames to allow generated dashboards to have the same basename and punctuation.
Fixed base search generating to fill "Most Populated Fields" panel correctly.
Fixed link to Lookup File Editor app latest version (2.7.1)
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.