Sharing
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Contents
Sharing
Splunk provides useful ways to share knowledge and information. You can create new eventtypes, save them, and put them into Splunk bundles. You can create saved searches and schedule alerts. And you can tap into SpunkBase and search for help, share your experiences, or share your bundles with the Splunk community.
Creating, tagging, and sharing eventtypes
Creating an eventtype
- In the SplunkWeb user interface: create a search to save for the event type that you want to make.
- Click the down arrow next to the search bar.
- From the drop-down menu, choose "Save As Event Type".
- In the name text box, enter a descriptive name for the event type.
- Apply a tag to your eventtype (see below).
- Click Save.
To use your saved eventtype, start a search with:
eventtype::
Tagging an eventtype
Tagging is useful when sharing an eventtype. You can assign tags to the new eventtype in the Tags text box before you save your created eventtype.
(You can make changes to the search at any time. Just make sure to run your changes through the search and re-save each time.)
Sharing an eventtype
To share saved eventtypes, you'll have to make a bundle. The Admin Manual will have a more advanced explanation of bundles, and how to make bundles. For now we'll go through a simple explanation on how to create a bundle.
Saved searches
You can save searches like you save eventtypes. Saved searches allow you to create alerts for certain events, or amounts of a certain event based on a threshold value. Alerts tied to to saved searches allow you to trigger events such as a scripts, sending an email, or even trigger an RSS feed.
SplunkBase
Full information on SplunkBase can be found in the Admin Manual. For our purposes as users, the SplunkBase is a helpful community to obtain answers from Splunk professionals, or other Splunk users. SplunkBase is also where you can share your bundles, or obtain useful bundles from other members of the community. Any content available in SplunkBase is findable through searches, as well as through the site's menus.
Looking up events
You can look up any event on SplunkBase. This is a helpful tool for gaining more insight into various events you might not be so familiar with.
From within the Splunk interface, click on the drop-down arrow underneath the timestamp:
You will see an option to Search SplunkBase:
Click this link and you will be redirected to the SplunkBase page associated with that event.
Getting Q & A
A large part of SplunkBase is devoted to Questions & Answers. You can focus the Q&A around your needs by using the Categories list on the left to narrow down to the technology you're interested in. Then, click a Question to see the list of Answers associated with it.
Using the How-to guides
Another large section of SplunkBase is devoted to HOWTOs. HOWTOs are documents that explain how to understand or accomplish something. Just as with Q&As, you can focus onto the technology you're looking for by using the Categories links on the side. Click through a HOWTO's name to see its contents.
Add-ons in SplunkBase
SplunkBase is teeming with bundles you can add to your Splunk installation. From the Add-ons page, you can narrow down the listing either through Categories, or through Types (the types of content within the add-on). Click through a bundle's name to read more about it, see ratings and comments, rate it yourself, view what's inside it by clicking View Contents, or download it by clicking the Download button. Once you have a bundle downloaded, to add it to your Splunk instance, place it into your Splunk server's $SPLUNKHOME/etc/bundles directory and extract the tarball or zip file.