Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Edit attributes list

Add automatically extracted attributes

1. In the Buttercup Games object editor, click Add Attribute.

6.2tutorial datamodel addattr.png

2. Select Auto-Extracted.

The Add Auto-Extracted Field window opens.

6.2tutorial datamodel addattr auto1.png

The Auto-extract attribute type is an extracted field that is recognized automatically (such as a default or indexed field) or a search-time field extraction that you have defined in Splunk Web on the Settings > Fields > Field Extractions page or, if you are using Splunk Enterprise, by editing the props.conf and transforms.conf files.

3. Scroll through the list of automatically extracted fields and check the action, categoryId, productId, and status fields.

6.2tutorial datamodel addattr auto2.png

For the field status, under Type, make sure the data type is Number and you can leave it as Optional.
Object attributes can be Required, Optional, Hidden, or Hidden & Required.
Optional means that the attribute doesn't have to appear in every event represented by the object. The attribute may appear in some of the object events and not others.

4. Click Save.

6.3 Tutorial datamodel editattr2.png

Add lookup attributes from lookup tables

Creating a lookup attribute requires at least one lookup definition defined in the Lookups manager. The lookup definition tells Splunk software where the lookup table is and how to connect to it. Once the lookup definition is in place, Splunk software can match the values of the attribute you choose to values of a field in the lookup table and then return corresponding field/value combinations and apply them to your object as lookup attributes.

Note: The field lookup has to be uploaded and defined prior to editing this data model object. You should have already added the prices.csv lookup table and defined the price_lookup. If not, return to the earlier topic and do so, before you continue.

Also, lookup attributes are added from lookup definitions that are not automatic. If you define an automatic lookup, then the fields will already be added to the events. In this case, they can be added as Auto-Extracted attributes.

1. Return to the the Buttercup Games object editor for the Purchase Requests object.

2. Click Add Attribute and select Lookup.

This opens the Add Attributes with a Lookup page.

3. For Lookup Table, select prices_lookup.

6.2tutorial datamodel addattr lookup1.png

The prices_lookup file has descriptive product names and prices for each of the items sold on the Buttercup Games website. You need to configure a lookup attribute to add those fields to the Purchase Requests objects. The csv lookup table has header values that look like this:

productId,product_name,price,sale_price,Code

DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A

4. Under Input, select productId for the Field in lookup and Attribute.

The Field in Lookup is the name of the field used in the csv lookup table. The Attribute is the name of the field used in the event data. For this lookup, the fields have the same name.

6.2tutorial datamodel lookupinput.png

5. Under Output, select the product_name and price fields.

The output fields read from the header row of the lookup table are listed under Field Names. You can type in a Display Name for each fields. This display name is the name used for the field in your events.
Because productId is the field used to match between the events and lookup table, you cannot change its display name.

6. For product_name, enter the Display Name "productName". For price, enter the Display Name "price" and ensure that the Type is set to Number.

6.2tutorial datamodel lookupoutput.png

7. Click Preview to review the fields you want to add.

Use the tabs to view the Events in a table, or view the values of each of the fields you selected in Output. For example, the screenshot shows the values of productName.

6.2tutorial datamodel lookuppreview.png

8. Click Save.

6.3 Tutorial datamodel attrlist3.png

Next steps

Now, that you've created the root object and added the required attributes, you can add child objects.

PREVIOUS
Define a root object for the data model
  NEXT
Define child objects

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters