Knowledge Objects
Fields, lookups, event types, tags, macros, data models
Learning Objectives
- ›Build search-time field extractions
- ›Define event types and tags for normalization
- ›Author macros for reusable SPL
- ›Understand data models and the Common Information Model (CIM)
Module 1 — Field Extractions
Search-time vs index-time. Search-time (EXTRACT-, REPORT-) is preferred — flexible, no re-index.
Built via Field Extractor UI or directly in props.conf.
Module 2 — Event Types & Tags
Event Type = saved search you can reference by name. Tag = label applied to events.
Together they normalize disparate sources (e.g. tag=authentication tag=failure).
Module 3 — Macros
Reusable SPL snippets. `cim_authentication_indexes` is a macro Splunk ES uses everywhere.
Definition: $SPLUNK_HOME/etc/apps/<app>/local/macros.conf.
Module 4 — Data Models & CIM
Data Model = hierarchical search-time schema (e.g. Authentication has Successful_Authentication, Failed_Authentication).
CIM = Splunk's Common Information Model — 25+ standard data models. Splunk ES is built on top.
Acceleration materializes summaries — every ES search uses tstats against an accelerated DM.
Lab 12 — Build a Lookup & Macro
- Imagine assets.csv with columns ip, hostname, owner, criticality.
- Define an automatic lookup that enriches src_ip in firewall events.
- Author a macro `high_value_assets` returning criticality=high hosts.
- Use the macro in a search.
Key Takeaways
- ✓Knowledge objects normalize the data — that's how ES finds anything
- ✓CIM compliance is the gatekeeper for ES correlation searches
- ✓Macros keep SPL DRY