O'Reilly logo
live online training icon Live Online training

Creating Knowledge Objects in Splunk

Implement Effective Splunk Knowledge Objects to Discover and Analyze Your Data

Topic: System Administration
Karun Subramanian

Splunk is by far the best operational data intelligence platform in the market today. In order to make full use of the Splunk platform, one must learn to effectively utilize knowledge objects. Many Splunk users find creating and managing knowledge objects difficult. This is due to the fact that Splunk provides numerous knowledge objects and extensive customization options.

Knowledge objects such as Lookup tables and Field extractions are extremely important to discover and analyze machine data. Certain knowledge objects such as workflow actions help interact with external sources. Using macros, one can replace complex SPL queries with meaningful names. When configured correctly, knowledge objects aid a Splunk user in numerous other ways.

In this training course, participants will learn about identifying, creating, customizing and managing Splunk knowledge objects. Learners will be able to see detailed examples of how various knowledge objects are created and customized.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand: - How to create various knowledge objects - How to customize and share knowledge objects - Add external data to your search results - Functionality of data models and accelerated data models

And you’ll be able to: - Utilize lookup tables to enhance your search results - Extract new fields from your machine data - Create and use tags and event types - Employ search macros - Create workflow actions - Create and use data models

This training course is for you because...

  • You are a DevOps engineer trying to implement monitoring and automation
  • You are a support engineer responsible for the health and availability of applications
  • You are a Security professional trying to use Splunk for threat hunting and incident response
  • You are a business user trying to create reports
  • You are a software developer/architect and want to make use of Splunk platform


  • Beginning Splunk live online training (dates vary; search the O'Reilly Learning Platform for an upcoming class)
  • Basic Splunk SPL (Search Processing Language)

Course Set-up - You need to have at least user-level access to your organization's Splunk environment. (Power user access recommended)
- If you do not have access to a Splunk environment, obtain a free Splunk Cloud trial (valid for 15 days from the date of registration) or install Splunk Enterprise trial in your PC/Mac

Recommended Preparation - Beginning Splunk live online training (dates vary; search the O'Reilly Learning Platform for an upcoming class)

About your instructor

  • Karun is an IT operations expert focusing on modernizing monitoring and observability. With over 20 years of experience, Karun has helped numerous companies transform their IT operations eco system. His area of expertise includes Log aggregation, Time series databases, Cloud Infrastructure and Machine data analytics. He is a Splunk Certified Architect.


The timeframes are only estimates and may vary according to how the class is progressing

Segment 1: Using Field Extractions Length: 35 minutes

  • Splunk platform basics
  • Fields introduction
  • Automatically extracted fields
  • Extracting fields using field extraction wizard
  • Extracting fields using rex and erex
  • Q&A

Segment 2: Using Field Aliases and Calculated Fields Length: 25 minutes

  • Creating field aliases
  • Creating calculated fields
  • Q&A

Break – 10 minutes

Segment 3: Creating Lookups Length: 35 minutes

  • Lookups introduction
  • Create a CSV lookup
  • Use Lookups to enhance data
  • Populate Lookup table
  • Introduction to KV store lookups
  • Q&A

Segment 4: Using Event types and Tags Length: 25 minutes

  • Create Tags
  • Manage Tags
  • Create Event Types
  • Manage Event Types
  • Q&A

Break – 10 minutes

Segment 5: Creating Workflow Actions Length: 30 minutes

  • Introduction to workflow actions
  • Creating a GET workflow action
  • Creating a POST workflow action
  • Creating a Search workflow action
  • Q&A

Segment 6: Creating Macros Length: 25 minutes

  • Creating a macro
  • Calling a macro
  • Using macros with arguments
  • Validating macros
  • Q&A

Break – 10 minutes

Segment 7: Working with Data Models Length: 30 minutes

  • Introduction to Datasets and Datamodels
  • Creating a data model
  • Using a data model
  • Accelerating a data model
  • Using tstats with accelerated data model
  • Q&A

Course wrap-up and next steps