Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define child objects

A child object inherits all of the constraints and attributes that belong to its parent object. When you define a new child object, you give it one or more additional constraints, to further focus the dataset that the object represents.

In the previous topic, you added a root object called "Purchase Requests" to track purchases on the Buttercup Games website. This topic takes you through steps to add child objects for tracking successful and failed purchases.

Add a child object

1. In the Buttercup Games object editor page, click Add Object and select Child.

6.2tutorial datamodel childobject1.1.png

This opens an editor window, Add Child Object.

6.2tutorial datamodel childobject1.2.png

2. Enter the Object Name: Successful Purchases

3. Enter the Object ID: Successful_Purchases

4. Under, Inherit From, select Purchase Requests.

This means that this child object will inherit all the attributes from the parent object, Purchase Requests.

5. Enter Additional Constraints: status=200

This means that the search for the events in this object, when expanded will look something like this:

sourcetype=access_* action=purchase status=200

6. Click Save.

6.3 Tutorial datamodel childobject1.3.png

Add a second child object

Follow steps 1-6 to add another child object named "Failed Purchases", which has the additional constraint to define the status codes for failed purchases.

6.2tutorial datamodel childobject2.1.png

Failed purchases can be all status codes that are not successful, status!=200, or just the client and server error codes, status=40* OR status=50*.

This child object should also Inherit From the Purchase Requests root object.

6.3 Tutorial datamodel childobject2.2.png

Next steps

Now that you've created data models, you can generate pivot reports. Continue to the next chapter to learn about Pivot and how to create pivot reports.

Edit attributes list
About Pivot

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters