Dataset types and usage
A dataset is a collection of data that you define and maintain for a specific business purpose. It is represented as a table, with fields for columns and field values for cells. You can view and manage datasets with the Datasets listing page.
The Splunk Datasets Add-on, available from Splunkbase, gives Splunk Enterprise users additional dataset management capabilities. Splunk Cloud users have the Splunk Datasets Add-on by default.
You can work with three dataset types. Two of these dataset types, lookups and data models, are existing knowledge objects that have been part of the Splunk platform for a long time. Table datasets, or tables, are a new dataset type that you can create and maintain in Splunk Cloud, and after you download and install the Splunk Datasets Add-on in Splunk Enterprise.
Use the Datasets listing page to view and manage your datasets. See View and manage datasets.
The Datasets listing page displays two categories of lookup datasets: lookup table files and lookup definitions. It lists lookup table files for .csv lookups and lookup definitions for .csv lookups and KV Store lookups. Other types of lookups, such as external lookups and geospatial lookups, are not listed as datasets.
You upload lookup table files and create file-based lookup definitions through the Lookups pages in Settings. See About lookups.
Data model datasets
Data models are made up of one or more data model datasets. When a data model is composed of multiple datasets, those datasets can be arranged hierarchically, with a root dataset at the top and child datasets beneath it. In data model dataset hierarchies, child datasets inherit fields from their parent dataset but can also have additional fields of their own.
You create and edit data model dataset definitions with the Data Model Editor. See About data models.
Note: In previous versions of the Splunk platform, data model datasets were called data model objects.
Table datasets, or tables, are focused, curated collections of event data that you design for a specific business purpose. You can derive their initial data from a simple search, a combination of indexes and source types, or an existing dataset of any type. For example, you could create a new table dataset whose initial data comes from a specific data model dataset. After this new dataset is created, you can modify it by updating field names, adding fields, and more.
You define and maintain datasets with the Table Editor, which translates sophisticated search commands into simple UI editor interactions. It is easy to use, even if you have minimal knowledge of Splunk search processing language (SPL).
The Splunk Datasets Add-on gives you the ability to create and edit table datasets. See Table datasets and the Table Editor.
Search macro examples
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.2.2, 7.2.3