Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define a root object for the data model

In the last topic, you created the data model "Buttercup Games".

This topic walks you through adding a root object for Buttercup Games purchases.

Edit data model objects

1. From the Data Models list, click Buttercup Games.

This opens the Buttercup Games object editor view.

6.2tutorial datamodel select.png


Use the Edit Objects page to design a new data model or redesign an existing data model. On the Edit Objects page, you can create objects for your data model, define their constraints and attributes, arrange them in logical object hierarchies, and maintain them.

Add a root object

Data models are typically composed of object hierarchies built on root event objects. Each root event object represents a set of data that is defined by a constraint, which is a simple search that filters out events that are not relevant to the object. For more information about root event objects and root search objects see Design data models and objects in the Knowledge Manager Manual.

Let's create an object to track purchase requests on the Buttercup Games website.


1. To define the data model's first event base object, click Add Object.

6.2tutorial datamodel addeventobject.png


Your first root object can be either a Root event or Root search.

2. Select Root event.

This takes you to the Add Event Object editor.

6.2tutorial datamodel addeventobject2.png


3. Enter the Object Name: Purchase Requests

The Object Name field can accept any character, as well as spaces. It's what you'll see on the Choose an Object page and other places where data model objects are listed.

4. Enter the Object ID: Purchase_Requests

This should automatically populate when you type in the Object Name. You can edit it if you want to change it.

The Object ID must be a unique identifier for the object. It cannot contain spaces or any characters that aren't alphanumeric, underscores, or hyphens (a-z, A-Z, 0-9, _, or -). Spaces between characters are also not allowed. Once you save the Object ID value, you can't edit it.

5. Enter the following search Constraints: sourcetype=access_* action=purchase

This defines the web access page requests that are purchase events.

After you provide Constraints for the event base object you can click Preview to test whether the constraints you've supplied return the kinds of events you want.

6.2tutorial datamodel previewevents.png


6. Click Save.

6.3 Tutorial pivot attrlist.png


The list of attributes for the root object include: host, source, sourcetype, and _time. If you want to add child objects to client and server errors, you need to edit the attributes list to include additional attributes.

Next steps

Continue to the next topic to add more attributes to Purchase Requests.

PREVIOUS
Create a new data model
  NEXT
Edit attributes list

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Comments

Hi IKate
I added a link to the "Add a root object" section on where to get more information about root objects, including root events and root searches.

Lstewart splunk, Splunker
November 17, 2015

Please, add information about Root Search - what is the difference with Root Event?

IKate
November 17, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters