KnowledgeMapper for Splunk

Problem Statement In any large-scale IT environment, data is siloed and context is fragmented. Security analysts, IT operators, and auditors are often drowning in a sea of logs from disparate systems. When a critical event occurs - be it a security alert, a system failure, or a compliance violation - the real challenge is not a lack of data, but a lack of context. Answering crucial questions like "What is the blast radius of this compromised server?" or "Which services will be impacted if this machine is rebooted?" requires manually correlating events across multiple data sources. This process is slow, requires deep domain expertise, and is highly prone to human error, meaning critical connections are often missed until it's too late. Objective of the Project The objective of the Knowledge Mapper is to radically simplify the exploration of complex, relationship-driven data within Splunk. Our goal is to empower users of all skill levels to instantly visualize and traverse the hidden connections in their data, transforming the slow, manual process of investigation into a fast, intuitive, and interactive experience. We aim to accelerate "time-to-insight" from hours to seconds, allowing analysts to see the full story behind an event, not just the event itself. Details of the Project Knowledge Mapper is a fully functional Splunk application that renders any tabular data into an interactive network graph of entities and their relationships. Its core features include: Entity Explorer: An interactive graph display where users can select a starting entity and visually expand its connections, degree by degree, to uncover its entire sphere of influence. Relationship Finder: A high-performance tool that calculates and visualizes the shortest path between any two entities in the dataset, immediately highlighting non-obvious connections. Client-Side Anomaly Highlighting: The UI can visually flag any node or edge that the underlying SPL query marks with an isAnomaly field, allowing for seamless integration with custom detection logic or ML-powered searches. Modern & Responsive UI: Built with Splunk's official React UI library, providing a clean, fast, and native Splunk experience. Methodology to Solve the Problem We adopted a modern, client-driven architectural approach to ensure performance and interactivity, even with large datasets. Backend: The backend logic is intentionally simple, consisting of a set of efficient, targeted Splunk macros. Instead of a single, monolithic, and slow recursive query, we use two primary macros: get_unique_entities to quickly populate the UI with all possible nodes, and get_relationships_for_nodes which fetches only the direct relationships for a given set of nodes. This minimalist approach reduces the load on the Splunk search head. Frontend: The application's intelligence resides in the React/TypeScript frontend. Upon loading, it fetches all entities to populate the dropdowns. It th

Built by

Latest Version 1.0.1

July 22, 2025

Compatibility

Not Available

Platform Version: 10.0, 9.4

Rating

0

(0)

Log in to rate this app

Support

Developer Supported app

Problem Statement In any large-scale IT environment, data is siloed and context is fragmented. Security analysts, IT operators, and auditors are often drowning in a sea of logs from disparate systems. When a critical event occurs - be it a security alert, a system failure, or a compliance violation - the real challenge is not a lack of data, but a lack of context. Answering crucial questions like "What is the blast radius of this compromised server?" or "Which services will be impacted if this machine is rebooted?" requires manually correlating events across multiple data sources. This process is slow, requires deep domain expertise, and is highly prone to human error, meaning critical connections are often missed until it's too late. Objective of the Project The objective of the Knowledge Mapper is to radically simplify the exploration of complex, relationship-driven data within Splunk. Our goal is to empower users of all skill levels to instantly visualize and traverse the hidden connections in their data, transforming the slow, manual process of investigation into a fast, intuitive, and interactive experience. We aim to accelerate "time-to-insight" from hours to seconds, allowing analysts to see the full story behind an event, not just the event itself. Details of the Project Knowledge Mapper is a fully functional Splunk application that renders any tabular data into an interactive network graph of entities and their relationships. Its core features include: Entity Explorer: An interactive graph display where users can select a starting entity and visually expand its connections, degree by degree, to uncover its entire sphere of influence. Relationship Finder: A high-performance tool that calculates and visualizes the shortest path between any two entities in the dataset, immediately highlighting non-obvious connections. Client-Side Anomaly Highlighting: The UI can visually flag any node or edge that the underlying SPL query marks with an isAnomaly field, allowing for seamless integration with custom detection logic or ML-powered searches. Modern & Responsive UI: Built with Splunk's official React UI library, providing a clean, fast, and native Splunk experience. Methodology to Solve the Problem We adopted a modern, client-driven architectural approach to ensure performance and interactivity, even with large datasets. Backend: The backend logic is intentionally simple, consisting of a set of efficient, targeted Splunk macros. Instead of a single, monolithic, and slow recursive query, we use two primary macros: get_unique_entities to quickly populate the UI with all possible nodes, and get_relationships_for_nodes which fetches only the direct relationships for a given set of nodes. This minimalist approach reduces the load on the Splunk search head. Frontend: The application's intelligence resides in the React/TypeScript frontend. Upon loading, it fetches all entities to populate the dropdowns. It th