Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Download topic as PDF

Edit fields list

Add automatically extracted fields

The Auto-extract field type is an extracted field that is recognized automatically (such as a default or indexed field) or a search-time field extraction that you have defined in Splunk Web on the Field Extractions page or, if you are using Splunk Enterprise, by editing the props.conf and transforms.conf files.

  1. In the Buttercup Games dataset editor, click Add Field.
  2. Select Auto-Extracted.
  3. The Add Auto-Extracted Field window opens.
    6.2tutorial datamodel addattr auto1.png


  4. Scroll through the list of automatically extracted fields and check the action, categoryId, productId, and status fields.
    6.2tutorial datamodel addattr auto2.png
    • For the field status, under Type, make sure the data type is Number, and you can leave it as Optional.
    • Dataset fields can be Required, Optional, Hidden, or Hidden & Required.
    • Optional means that the field doesn't have to appear in every event represented by the dataset. The field might appear in some of the dataset events and not others.
  5. Click Save.

Add lookup fields from lookup tables

Creating a lookup field requires at least one lookup definition defined in the Lookups manager. The lookup definition tells Splunk software where the lookup table is and how to connect to it. When the lookup definition is in place, Splunk software can match the values of the field you choose to values of a field in the lookup table, and return corresponding field/value combinations and apply them to your dataset as lookup fields.

Note: The field lookup has to be uploaded and defined prior to editing this data model dataset. Verify that you added the prices.csv lookup table and defined the price_lookup before you continue.

Lookup fields are added from lookup definitions that are not automatic. If you define an automatic lookup, then the fields will already be added to the events. In this case, they can be added as Auto-Extracted fields.

  1. Return to the the Buttercup Games dataset editor for the Purchase Requests dataset.
  2. Click Add Field and select Lookup.
    The Add Fields with a Lookup page will open.
  3. For Lookup Table, select prices_lookup.
    The prices_lookup file has descriptive product names and prices for each of the items sold on the Buttercup Games website. You must configure a lookup field to add those fields to the Purchase Requests datasets. The csv lookup table has header values that look like this:

    productId,product_name,price,sale_price,Code

    DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A

  4. Under Input, select productId for the Field in lookup and productId in Field in dataset.
    The field in lookup is the name of the field used in the csv lookup table. The field in dataset is the name of the field used in the event data.
  5. Under Output, select the product_name and price fields.
    The output fields read from the header row of the lookup table are listed under Field Names. You can type in a Display Name for each fields. This display name is the name used for the field in your events.
    Because productId is the field used to match between the events and lookup table, you cannot change its display name.
  6. For product_name, type the Display Name "productName". For price, type the Display Name "price" and ensure that the Type is set to Number.
    6.2tutorial datamodel lookupoutput.png
  7. Click Preview to review the fields you want to add.
    Use the tabs to view the Events in a table, or view the values of each of the fields you selected in Output. For example, the screenshot shows the values of productName.
    6.5tutorial dm lookup output.png
  8. Click Save. You should be returned to your dataset page.

Next steps

Add child datasets.

PREVIOUS
Define a root dataset for the data model
  NEXT
Define child datasets

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters