The intent of this app is to provide a simple interface for sharing knowledge in Splunk through editing a simple CSV file, the app can generate a set of standard dashboards and navigation.
Have you ever wanted a centralized location to direct users to so they can find what they need? Example: What special index do we store our firewall data? This app provides a simple interface for both administrators (to catalog data locations) and users (to find the data they need).
Depending on how Splunk is managed, finding data for a new (or even experienced) user can be challenging. The primary use-case of this app is for a Splunk adminstrator to be able to easily catalog (using a CSV file) where specific types of data (that an end user may have interest in) would be found on the given system and provide the end user an interface to quickly find this data (using Splunk’s built in menu system). Even though there exists the CIM, not all data is CIM compatible, nor is a user necessarily familiar with CIM. This can be especially helpful as new data types become available in Splunk that are not complying with CIM.
The app comes with an example CSV lookup file with sections, subsections and searches that should be universal. Using the built-in dashboard to add searches, an administrator can fill the catalog with the necessary content for the users. The CSV can also be edited directly or the app contains links to open the file in the Lookup File Editor app (https://splunkbase.splunk.com/app/1724/ requires 2.x), especially useful if searches need to be deleted. While it is not required, it is recommended to fill out the Notes section of each search so that both the generated dashboard will give some helpful context and a user may find the search based on keywords in the notes (using the search dashboard called “Not Sure Where to Look?"). The administrator should either copy the example CSV found in the samples directory to the lookups directory or use the add searches dashboard to create the file. The add searches dashboard includes help information.
Once the lookup/CSV file has been populated with searches, the app has a custom command to generate menus, dashboards, and links based on the data in the lookup (“Generate Dashboards”). Each search can be given it’s own dashboard with notes, events, and some basic info and statistics of it’s primary fields. There are also links to open the search up in the normal search window (in the regular Search app not the Search Catalog) from the dashboard as well as a time range picker. The other option is send the user to a specific link (like an existing dashboard) or convert the search into a link and skipping the generated dashboard and only adding a menu item.
Each generated dashboard includes a panel titled “Most Populated Fields”. If an admin wants to filter specific fields out of this (i.e. date_*) the most_populated_filter.csv file must be created and filled. Similar to the search_catalog.csv the app contains an example most_populated_filter.csv, and again the administrator should either copy the example CSV found in the samples directory to the lookups directory or use the add searches dashboard to create the file.
From the Welcome screen a user is introduced to the number of searches that exist in the search catalog along with an idea of how those searches are dispersed. The user is given instructions to browse through the Search Catalog’s menus, search or see what are the latest searches that have been added.
Cosmetic updates. Updated for Python 2 and 3 compatability. Updated to latest splunklib. Added new ability to add or generate a link from the config file (instead of generating a dashboard), adds the link in the navigation. Added new examples in the sample lookup file. Added ability to add search or link to top level menu instead of under a section. Added help panels for add search dashboard.
Minor update for Splunk Certification requirement and code formatting updates. Fix searching to not return folders.
Fixed Most Populated Fields panel to not max out on quantity of distinct values. Fixed naming scheme for dashboard to seperate correctly. Fixed "Not Sure Where to Look?" and "Most Recent Added Searches" dashboards as they were not creating correct links to dashboards anymore.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.