Splunk can be used by application vendors to access and query logs. This is a short introduction and references to Splunk end user documentation.

Links to external resources

Furthermore, created reports and dashboards can be shared with other Splunk users.

See official Splunk documentation for how to use Splunk:

About Splunk Enterprise - Splunk Documentation - Provides an overview of Splunk features
About the Search Tutorial - Splunk Documentation - Splunk tutorial for creating searches, reports and dashboard
Splunk® Enterprise - Splunk Documentation - More extensive Splunk reference documentation

Splunk concepts

What is a Splunk report?

Splunk reports are results saved from a search action which can show statistics and visualizations of events. Reports can be run anytime, and they fetch fresh results each time they are run. The reports can be shared with other users and added to dashboards.

What are dashboards in Splunk?

A dashboard is used to represent tables or charts which are related to some business meaning. It is done through panels. The panels in a dashboard hold the chart or summarized data in a visually appealing manner. We can add multiple panels, and hence multiple reports and charts to the same dashboard.

What is a Splunk app?

A Splunk app is a packaged collection of knowledge objects and extensions. This could be reports, dashboards and so forth.

How to's

How to share a created dashboard

It is possible to share created reports and dashboards.

The sharing depends on the Applications. That is, in some applications vendors can't add reports etc., while it may be possible in other applications.

To share a report, click the edit menu and select edit permission.

In the edit permission dialogue, you can edit the sharing and which user group to share with.

The screenshot below is just an example, the user groups a Vendor can see are different, and have logical names to reflect the actual vendor applications (e.g. medware kommunalpro).

How to see error logs in Splunk

Telemedicine solutions can find their system logs in Splunk. Assuming the application logs as specified in Logging model | System log.

The Splunk index to query is {environment}_k8s_{Vendor Short Name}-{Application Short Name}_application.

So assuming the logging format in Logging model | System log is followed, the following query for PROD and Kommunal-PRO can be used to find logged errors (Alarm and Alerts).

index=prod_k8s_medware-kommunalpro_application  type=alarm OR type=alert 
| table _time, app, type, severity, id, subject, data

A little more advanced Splunk query does some simple statistics:

index=prod_k8s_medware-kommunalpro_application  type=alarm OR type=alert
| stats count last(_time) as _time by app, id, type, severity, subject, data  
| sort count desc 
| fields _time count app type id severity subject data

How to access usage in Splunk

Derived from the audit log it is possible (with proper privileges) to make reports covering the usage of the system. See Logging model | Usage log.

However, as this information is in the audit log, these are under strict access control for the production environment, and limited access to this information.

Are the any standard Splunk reports?

Several standard reports in Splunk can be found here Splunk Reports (prod) and dashboards Splunk Dashboards (prod)

eHealth Infrastructure Wiki

Using Splunk