Splunk® Add-on Builder

Splunk Add-on Builder User Guide

Download manual as PDF

Download topic as PDF

Map to data model

Version 2.2.0 and later of the Splunk Add-on Builder enables you to map the fields from your data events to the fields in any data model, including CIM data models.

  • If you want to map your data to a CIM data model, the Splunk Common Information Model add-on is required to use this feature. Download the Splunk Common Information Model add-on from Splunkbase and see Install the Splunk Common Information Model Add-on for details on how to install this add-on.
  • If you want to map to your own data model, the model needs to support the standard defined under the Create a data model section.

Before you apply the data model mapping to your add-on, you must configure one or more source types for your add-on by creating a data input, by adding data from a sample file, or by adding indexed data from Splunk.

Configure the following,

In Map to data model, map the fields from your data to the fields in one of the predefined data models to normalize data at search time.

  1. On your add-on homepage, click Map to data model on the Add-on Builder navigation bar.
  2. On the Data Model Mapping page, click New Data Model Mapping.
  3. On the Data Model Mapping >> Define Event Type page, define an event type to generate events from which to extract fields:
    • Enter a name for the event type.
    • Select a source type from which to generate events.
    • Enter a search to select events. By default, the search selects all events for the source type you selected, but you can apply additional search criteria as needed.
    • Click Save.
    • Datamodelmapping1.jpg

  4. On the Data Model Mapping >> Data Model Mapping Details page, click Select Data Models.
  5. On the Data Model Mapping >> Select Data Models page, select the data model to use for mapping:
    • From the center panel, select one or more data models to use. Then you can also select individual datasets within a data model. Fields from your event type are displayed for reference, and fields from the selected data models are also displayed.
    • When you have finished selecting data models, click Done.
  6. On the Data Model Mapping >> Data Model Mapping Details page, click New Knowlege Object and select the type of mapping to create:
  7. Datamodelmapping2.jpg

    • Select FIELDALIAS to map a field from the data model to a field from your event type.
    • Select EVAL to map a field from the data model to an expression based on a field from your event type.
  8. Define a field alias or expression in the new row that was added to the Data Model Mapping List:
    • If you are defining a field alias, click one field name from the Data Model Fields list and one from the Event Type Fields list, and then click OK at the end of the new row in the Data Model Mapping List.
    • If you are defining an expression, click one field name from the Data Model Fields list and one or more fields from the Event Type Fields list. Edit the expression in the Event Type Field or Expression column, then click OK at the end of the new row in the Data Model Mapping List.
  9. Repeat steps 6-7 as needed.
  10. Click Done when you have finished data model mapping.


The Data Model Mapping page displays an entry for the mapping you just completed.

Learn more

For more information, see the following Splunk Enterprise documentation:

PREVIOUS
Extract fields
  NEXT
Create alert actions

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters