Create a new data model
From version 2.2.0, Splunk add-on builder supports the user to map the data event to the data model you create.
Users can design and maintain data models and use them in Splunk Add-on builder. Splunk recommends you to use Splunk web first and then modify the data model JSON file to follow the standard of Add-on builder.
To create data models which can be used by Splunk add-on builder, you need to understand:
- What data models are and how to create a data model in the Splunk platform.
- The format and semantics of indexed data and a familiarity with the Splunk search language. In building a typical data model, knowledge managers use knowledge object types such as lookups, transactions, search-time field extractions, and calculated fields.
- The data model standard of Splunk add-on builder. See syntax of data model for details.
Make sure you have sufficient access permissions to any files you place in your add-on directory.
Syntax of data model
After building data model using Splunk web, the generated JSON file cannot be used by Splunk Add-on builder directly, add the following fields to the existing JSON file.
- Syntax: $.objects[*].comment.tags
- Description:: It defines the tags of object in the data model. Eventtype which has the same tag(s) will be mapped to this data model.
- Syntax: $.objects[*].comment.description
- Description:: The description of the data model.
- Syntax: $.object[*].fields[*].comment.description:<string>
- Description:: The description of the data model field.
- Syntax: $.object[*].fields[*].comment.expected_values:<string>
- Description:: It defines the expected value(s) of the data model field. Splunk add-on builder verifies the expect value(s) when user validates the add-on.
Example: Create a data model named test
- Create the data model using Splunk Web and name it as 'test'.
- Open the test.json file under
- Save the file and then restart Splunk
- The data model you create will be listed on the Select Data Models page. Follow the instruction on how to map to data model.
$SPLUNK_HOME/etc/apps/<your_addon_folder>/default/data/models/test.jsonand add the field required by Splunk Add-on builder as follows
Use the add-on
Modify files directly
This documentation applies to the following versions of Splunk® Add-on Builder: 4.1.1, 4.1.2, 4.1.3