Splunk® Enterprise

Data Model and Pivot Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Define a root dataset for the data model

In the last topic, you created the data model called Buttercup Games.

This topic walks you through adding a root dataset for Buttercup Games purchases.

Add a root dataset

  1. From the Data Models list, click Buttercup Games. This opens the Buttercup Games dataset in the editor page. You use the editor page to design a new data model or redesign an existing data model. You can create datasets for your data model, define their constraints and fields, arrange them in logical dataset hierarchies, and maintain them. 6.2tutorial datamodel select.png

Data models are typically composed of dataset hierarchies built on root event datasets. Each root event dataset represents a set of data that is defined by a constraint, which is a simple search that filters out events that are not relevant to the dataset. For more information about root event datasets and root search datasets see Design data models.

Let's create a dataset to track purchase requests on the Buttercup Games website.

  1. To define the data model's first event base dataset, click Add Dataset. Datamodel addeventdataset.png
    Your first root dataset can be either a Root event, Root search.
  2. Select Root event. This takes you to the Add Event Dataset editor. Datamodel adddatasetevent3.png

  3. Enter the Dataset Name: Purchase Requests The Dataset Name field can accept any character, as well as spaces. It's what you'll see on the Choose a Dataset page and other places where data model datasets are listed.
  4. Enter the Dataset ID: Purchase_Requests This should automatically populate when you type in the Dataset Name. You can edit it if you want to change it. The Dataset ID must be a unique identifier for the dataset. It cannot contain spaces or any characters that aren't alphanumeric, underscores, or hyphens (a-z, A-Z, 0-9, _, or -). Spaces between characters are also not allowed. Once you save the Dataset ID value, you can't edit it.
  5. Enter the following search Constraints: sourcetype=access_* action=purchase This defines the web access page requests that are purchase events. After you provide Constraints for the event base dataset you can click Preview to test whether the constraints you've supplied return the kinds of events you want. Datamodel preview events.png
  6. Click Save. The list of fields for the root dataset includes: host, source, sourcetype, and _time. If you want to add child datasets to client and server errors, you need to edit the fields list to include additional fields.

Next steps

Continue to the next topic to add more fields to Purchase Requests.

Last modified on 13 September, 2017
Create a new data model
Edit fields list

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters