Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Download topic as PDF

About the Data Model and Pivot Tutorial

This tutorial guides you through adding data to your Splunk deployment, building simple data models from this tutorial data, and creating new pivots from the data models.

Prerequisites for this tutorial

This tutorial assumes that you have access to a Splunk deployment.

If you do not have access to a Splunk deployment, you can use a trial version of the Splunk software. For instructions on downloading a trial version, installing, and starting the software, see the following topics in the Search Tutorial.

What's covered in this tutorial?

A breakdown of what you will find in each of the sections of this tutorial follows.

  • Introduction describes the pre-requisites and system requirements for completing this tutorial. It also describes Splunk Web, which is the interface for using Splunk Enterprise and Pivot.
  • Part 1: Getting data into Splunk Enterprise walks you through adding the tutorial data into Splunk Enterprise. The tutorial data, which is a sample data set composed of web server and MySQL logs for a fictional online game store, is included for download in this chapter.
  • Part 2: Building a data model walks you through creating a new data model, defining the root dataset, editing dataset fields, defining child fields.
  • Part 3: Designing a Pivot report walks you through creating and saving Pivot tables and charts.
  • Part 4: Creating dashboards walks you through creating new dashboards and adding Pivots to new and existing dashboards.

Using a PDF of the tutorial

Do not copy and paste searches or regular expressions directly from the PDF into Splunk Web. In some cases, doing so causes errors because of hidden characters that are included in the PDF formatting.

  NEXT
What you need for this tutorial

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters