Splunk Knowledge... Share it Through Documentation


Anyone who has worked in professional services knows that technical documentation is always requested for any type of content delivery. Of course the importance of documentation extends far beyond the consulting realm, as it is always a good practice for organizations to document their technical content. In today's blog I will attempt to write a non-technical blog about documenting technical Splunk content.

So what should be included in Splunk content documentation? Here is a breakdown, by heading, of the information that I have found to be very key in any Splunk content and use case documentation.



This of course is fairly self explanitory. Start off with the high level purpose of the content. Basically, what are we trying to accomplish?


Are there any specific requirements and/or compliance standards that need to be met via the content? How is content backed up and is source control being utilized? 


Who are the key players involved and how can they be reached? Who is responsible for what aspects of the content? Think about including the following groups:

  • Splunk administrators/support
  • Data source owners/subject matter experts
  • Content requestors
  • etc...

On-Call/After Hours Procedures

Does this content require after hours support and procedures? How will this be handled and by whom?

Data Sources

What are the data sources that are involved? What are the indexes and sourcetypes of these data sources? Are we filtering/limiting results to a sub-set of hosts/devices? How are have these data sources been on-boarded (file monitoring, syslog, etc...)?

Data Source Configurations

What apps/TAs are being used for the data source configurations? Are the configurations deployed out via the Splunk Deployment Server or another configuration management tool? 

Scheduled Searches

Does the use case utilize any scheduled searches? When does the search run and is throttling being used? Are alerts being sent out via email or is a script being executed?


Have any dashboards been built as a part of this content? Are there any customizations and non-standard xml features that are being utilized? 

Testing and Troubleshooting Tips

Was a testing procedure implemented to validate the use case? Do you have any useful tips for troubleshooting issues related to the use case?


Hopefully this blog provided some ideas that you can use the next time you document Splunk content. Thanks for reading and Happy Splunking!

Subscribe to Our Newsletter

Stay In Touch