Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Download topic as PDF

Load the tutorial data

This topic walks you through downloading the tutorial data set and adding it to Splunk Enterprise. You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.

Download the sample data file

This tutorial uses a fictitious game store, called Buttercup Games, that sells games and related items in an online store.

You must download the compressed data file to use with this tutorial. The compressed data file contains web access log files, secure formatted log files, and sales log files for the Buttercup Games store. The tutorialdata.zip file is updated daily and contains events that are timestamped for the previous 7 days.

Do not uncompress the file.

Add the sample data

  1. Log into your Splunk deployment. If you are not in Splunk Home, click the Splunk logo on the Splunk bar to go to Splunk Home.
  2. Under Explore Splunk Enterprise, click Add data. (Note: If your Splunk deployment is a self-service Splunk Cloud deployment, choose Settings and click Add Data. The Add Data option does not appear if your deployment is a managed Splunk Cloud deployment. In this case you must use forwarding to add the tutorial data.) 6.2tutorial explore adddata.png
    The Add Data view displays three options for adding data, lists of common data types, and add-ons you can use to extend Splunk Enterprise's capabilities to add data.

  3. Under "How do you want to add data?", click Upload. 6.2tutorial adddata upload.png

  4. Under Select Source, click Select File to browse for the tutorial data or Drop the data file into the outlined box. 6.2tutorial adddata selectsource.png
    Because the tutorial data file is an archived data file, the next step in the Add Data workflow changes from Set Sourcetype to Input Settings.
  5. Click Next to continue to Input Settings. Under Input Settings, you can override the default settings for Host, Source type, and Index.

  6. Modify the host settings to assign host names using a portion of the path name: 6.2tutorial adddata inputsettings.png
  7. Select Segment in path from the menu.
  8. Type in 1 for the segment number.
  9. Click Next to Review your input settings. 6.2tutorial adddata review.png

  10. Click Submit.
    6.2tutorial adddata done.png

  11. To confirm that the data added successfully, click Start Searching. This opens the Search view and runs a search for the tutorial data source. 6.2tutorial startsearching.png

Next steps

Some of the examples in this tutorial require data from external lookup tables. Now that you have added data to Splunk Enterprise, the next topic walks you through adding the lookup tables.

PREVIOUS
Navigating Splunk Web
  NEXT
Add lookup files

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8


Comments

I cannot get past step 7. The progress bar loads and stays at 100% for the tutorial data. I left it for a while (30 minutes) but the bar is still there. I shut down the application and reopened it and there isn't any data there. I used both an IE browser and Chrome and Firefox. I tried the recommendation from a search but same issue.

Agehl
November 10, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters