Splunk® Enterprise

Data Model and Pivot Tutorial

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Define a root dataset for the data model

In the last topic, you created the data model called Buttercup Games.

This topic walks you through adding a root dataset for Buttercup Games purchases.

Add a root dataset

  1. From the Data Models list, click Buttercup Games.
    This opens the Buttercup Games dataset in the editor page. You use the editor page to design a new data model or redesign an existing data model. You can create datasets for your data model, define their constraints and fields, arrange them in logical dataset hierarchies, and maintain them. 7.0 dmtutorial datamodel select.png Data models are typically composed of dataset hierarchies built on root event datasets. Each root event dataset represents a set of data that is defined by a constraint, which is a simple search that filters out events that are not relevant to the dataset. For more information about root event datasets and root search datasets see Design data models.

    Let's create a dataset to track purchase requests on the Buttercup Games website.
  2. To define the first event base dataset for the data model, click Add Dataset. Datamodel addeventdataset.png Your first root dataset can be either a Root event, Root search.
  3. Select Root event. The Add Event Dataset editor opens. Datamodel adddatasetevent3.png
  4. For Dataset Name type Purchase Requests. The Dataset Name field can accept any character, including spaces.
  5. Optional. The Dataset ID field is automatically populated when you type in the Dataset Name. The value Purchase_Requests should appear in the field.

    The Dataset ID must be a unique identifier for the dataset. The ID can be comprised of alphanumeric, underscore, or hyphen (a-z, A-Z, 0-9, _, or -) characters. Spaces are not allowed.

    After you add the dataset, you cannot change the Dataset ID.

  6. In the Contraints field, type this search constraint: sourcetype=access_* action=purchase.
    This constraint limits the dataset to events that are web access page requests that are purchase events.
  7. Click Preview to test whether the constraints you have specified return the events that you want. 7.0 dmtutorial datamodel preview.png
  8. Click Save. The fields are added to the dataset under the INHERITED field category. 7.0 dmtutorial dataset saved.png The list of fields for the root dataset includes: _time, host, source, and sourcetype. If you want to add child datasets to client and server errors, you need to edit the fields list to include additional fields.

Next steps

Continue to the next topic to add more fields to the Purchase Requests dataset.

Last modified on 16 February, 2018
Create a new data model   Edit fields list

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters