Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Download topic as PDF

Define child datasets

A child dataset inherits all of the constraints and fields that belong to its parent dataset. When you define a new child dataset, you give it one or more additional constraints, to further focus the dataset.

In the previous topic, you added a root dataset called Purchase Requests to track purchases on the Buttercup Games website. Now you want to add child datasets for tracking successful and failed purchases.

Add a child dataset

  1. In the Buttercup Games dataset editor page, click Add Dataset and select Child.
    This opens an editor window, Add Child Dataset.
  2. On the Add Child Dataset page, for Dataset Name type Successful Purchases.
  3. The Dataset ID field should show Successful_Purchases. For this tutorial, you are not going to change the Dataset ID. Similar the Dataset ID for the root dataset, the ID cannot be changed after you save the dataset.
  4. For Inherit From select Purchase Requests from the list.
    This setting tells the child dataset which parent dataset to inherit the fields and constraints from.
  5. In the Additional Constraints field, type status=200.
    This status code is for successful purchases. The search for the events in this dataset will look something like this:

    sourcetype=access_* action=purchase status=200

  6. Optional. You can click Preview to see the events that are returned.
  7. Click Save.
    The Buttercup Games dataset editor page shows that the Successful Purchases child dataset is added to the Purchase Requests root dataset.
  8. 7.0 dmtutorial child dataset.png

Add a second child dataset

  1. In the Buttercup Games dataset editor page, click Add Dataset and select Child.
  2. On the Add Child Dataset page, for Dataset Name type Failed Purchases.
  3. The Dataset ID field should show Failed_Purchases. For this tutorial, you are not going to change the Dataset ID.
  4. For Inherit From, make sure that Purchase Requests is selected.
  5. In the Additional Constraints field, type status=40* OR status=50*.
    This status code is for server or system errors, which result in failed purchases. The search for the events in this dataset will look something like this:

    sourcetype=access_* action=purchase status=40* OR status=50*

  6. Optional. You can click Preview to see the events that are returned.
  7. 7.0 dmtutorial child2 dataset.png

  8. Click Save.

Next steps

Now that you've created data models, you can generate pivot reports. Continue to the next chapter to learn about Pivot and how to create pivot reports.

PREVIOUS
Edit fields list
  NEXT
About Pivot

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters