Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define child objects

In the previous topic, you added a root object called "Purchase Requests" to track purchases on the Buttercup Games website. This topic walks you through adding child objects to track successful and failed purchases.

Add a child object

A child object inherits all of the constraints and attributes that belong to its parent object. When you define a new child object, you give it one or more additional constraints, to further focus the dataset that the object represents.

Follow the steps to add a child object for "Successful Purchases":

1. In the Buttercup Games object editor page, click Add Object and select Child.

This opens an editor window, "Add Child Object".

Dmpt add child object.png

2. Enter the Object Name: Successful Purchases

3. Enter the Object ID: Successful_Purchases

4. Under, Inherit From, select Purchase Requests.

This means that this child object will inherit all the attributes from the parent object, Purchase Requests.

5. Enter Additional Constraints: status=200

This means that the search for the events in this object, when expanded will look something like this:

sourcetype=access_* action=purchase status=200

6. Click Save.

Dmpt success purchases object.png

Add a second child object

Follow steps 1-6 to add another child object named "Failed Purchases", which has the additional constraint, status!=200. Ensure that you select Inherit From and select Purchase Requests.

Dmpt failed purchases object.png

Next steps

Now that you've created data models, you can generate pivot reports. Continue to the next chapter to learn about Pivot and how to create pivot reports.

Edit attributes list
About Pivot

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters