icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Data Curator
SHA256 checksum (data-curator_13.zip) f40a2f9ed01f82ffd2033342e1c0ccd2335e6733ec76c57832ad80cec30ab9a9 SHA256 checksum (data-curator_12.tgz) d677f42805db5d581018b2c14277cd23b6d51ae657a694152d890585538f4293 SHA256 checksum (data-curator_11.tgz) 0d817b1fc9314b315cfd4e556747bca762f7c5fe70b9696351b8bf71da4eaec0 SHA256 checksum (data-curator_10.tgz) 01ea73052495adc05e7a05c45b079f15f1e312fef8400494deb9cd22b56632df
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Data Curator

Splunk Cloud
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Data Curator is designed to help the Splunk admin assess the maturity of their Splunk deployment.

* Generates maturity scores for your props.conf settings related to data import
* Generates field extraction scores for the data you are ingesting
* Identify data that is mis-sourcetyped relative to the rest of your data
* Provides a number of views to issues related to timestamp extraction, line breaking, line truncation, and timezone settings with interactive dashboards that assist in troubleshooting efforts.

NOTE for 6.2(+) - Version 1.3 addresses the issue but otherwise you need to adjust a couple macros based on changes Splunk has made. Specifically props_config_lookup, props_score_raw, & stitch_props_trans. The section is the following eval

| eval sourcetype = if(isnull(sourcetype), title, sourcetype)

should be changed to something like this - previous Splunk 6x versions could probably work with just the len statement but left isnull in just in case

| eval sourcetype = if(isnull(sourcetype) OR len(sourcetype)<1, title, sourcetype)

Whereas apps like Splunk on Splunk are designed to help the Splunk admin understand what is happening with their deployment at an engine level, this app is designed to help the Splunk admin understand and assess the maturity of their deployment at a data level.

Splunk 6.x is required due to frequently used internal REST searches, use of the foreach command, and the changes to simple xml.

No new indices are created though there are 3 scheduled searches which ship enabled. Once the app is installed it might take a few hours before a few of the panels will show data. As everyone's environment is different from both a data and hardware perspective there are 2 dashboards under Knowledge Management to help you assess the coverage these searches provide relative to search frequency and length. You may find the searches need to be tweaked.

The props and field extraction score methodologies are documented in the app. At a high level there are 7 props settings that should be assigned to each sourcetype to help Splunk onboard your data - this app looks for their presence. On the field extraction side a comparison is made between the combined byte length of fields to the byte length of _raw. This is admittedly not a perfect science; however, it allows you to make a high level judgment on how much field definition is taking place on a sourcetype by sourcetype basis.

Release Notes

Version 1.3
April 20, 2015

Adjusted several rest queries to account for a 6.2 Splunk change to "null" values in fields (note documentation)
Added a Sourcetyping section in Data Management (pretty cool stuff here)
Moved away from the metrics logs in several dashboards as elements just aren't accurate for anything but smaller environments. These dashboards now use the summary data created by the app. This means if you are a new user there are some dashboards that won't populate until the queries have run at least once.
Tried to upload a tarball but Splunk had trouble extracting it for some reason so I extracted it on my Mac and compressed from there as a zip /shrug
Version 1.2
Nov. 3, 2014
  • Fixed a couple spelling and space issues
  • Changed a couple hard coded searches to use the summary index macro
  • Removed the stash sourcetype (default sourcetype for data created within Splunk i.e. summary searches) from the props score and Sourcetype Score List dashboard.
  • Took the data taxonomy csv out of the app so that if you've made changes it won't be over written. There is now a seed csv so that if this is the first time you are using the app you can run a query to move the data into the correct csv.
Version 1.1
Sept. 2, 2014
  • Fixed issue with build sourcetype_field.csv query
  • Updated issue description case statement for field tokens not defined in associated regex
  • Added dashboard leveraging timestartpos and timeendpos fields in relation to defining TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD
Version 1.0
Aug. 23, 2014
1,747
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Mark Runals
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.2) is not available for Splunk Cloud. However, version 1.3 of this app is available for Splunk Cloud.
This version of the app (1.1) is not available for Splunk Cloud. However, version 1.3 of this app is available for Splunk Cloud.
This version of the app (1.0) is not available for Splunk Cloud. However, version 1.3 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: IT Operations, Utilities
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2024 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.