Configure the data layer and knowledge objects in a Splunk app

Configure the data layer of your app to specify how to treat your data. You can customize what data is available to your app, how it gets into your Splunk Enterprise instance, and how to store the data.

Configure the knowledge objects within your app, which include saved searches, reports, event types, fields, field extractions, tags, lookups, alerts, data models, transactions, and workflow actions.

 

Configure the data layer

By default, all configurations are global—that is, they are available to all apps. To segregate a configuration, place it into your app's directory. Configurations you put into your app's directory will also be packaged with the app. However, any data inputs that are indexed are always available to other apps.

The following table provides some examples of data layer configuration. For more about configuration files, see About configuration files in the Admin Manual.

Data layer

Description

Inputs Configure data inputs for your app. You might want to index a specific type of data just for your app. For example, you might want to index your Web logs so your Web developers can look at them in one place.
For more, see the Getting Data In manual.
Indexes Configure custom indexes to store the data for your app, which is the best way to make sure your app users can only search through specific data.
For more, see Set up multiple indexes in the Managing Indexers and Clusters of Indexers manual.
Props and transforms For custom data types, you can set segmentation, character set, or other custom data-processing rules. Create rules for data processing in the props.conf configuration file and link them to your data using the transforms.conf configuration file. You can package these configurations with your app, but they will be applied on a source, sourcetype, or host basis.
For more, see Overview of event processing in the Getting Data In manual.
Users and roles You can create a custom user or role to access your app and the content within your app, which allows you to restrict different teams to different content.
For more, see About users and roles in the Admin Manual.
 

Configure knowledge objects

The table below provides example of how different knowledge objects can be used in an app. For more about knowledge objects and configuration details, see the Knowledge Manager Manual.

Knowledge object

Description

Saved searches and reports Saved searches and reports dynamically capture important pieces of your data. Display them in your app on a dashboard, or add them to a drop-down menu in Splunk Web to run as needed. Use saved searches as a shortcut to launch interesting and relevant searches into whatever data you've loaded into your app. Saved searches are useful when building dashboards because you can schedule your saved search to run and collect data so that when your dashboard loads, the search results are already available.
Event types Event types simplify search results by letting you categorize events and classify them by common characteristics.
Fields and field extractions Fields are name-value pairs that appear in event data. Splunk Enterprise automatically extracts fields from your data, but you can also define your own field extractions. For example, you might have some data in your app that you want to showcase in your results by extracting custom fields.
Tags Tags are another way to add metadata to your data. Tags enable you to search for events that contain particular field values.
Lookups Lookups provide data enrichment by mapping an event value to a field in another data source, and appending the matched results to the original event. For example, use a lookup to match an HTTP status code and return a new field containing the detailed description of the status. Data sources for lookup content include search results, CSV files, KV Store collections, and database connections. You can incorporate lookups into dashboards to display content in a human readable format, allowing users to interact with event data without knowing obscure or cryptic event fields.

Configure the knowledge objects within your app to specify how to scope them and whether to set permissions on objects by role. For example, reports are objects that can be displayed only for the owner (private), in one app (app), or for all apps (global), and read/write permissions can be granted per user role. For more, see Set permissions for objects in a Splunk app.