Splunk® Enterprise

Data Model and Pivot Tutorial

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Define child datasets

A child dataset inherits all of the constraints and fields that belong to its parent dataset. When you define a new child dataset, you give it one or more additional constraints, to further focus the dataset.

In the previous topic, you added a root dataset called Purchase Requests to track purchases on the Buttercup Games website. Now you want to add child datasets for tracking successful and failed purchases.

Add a child dataset

  1. In the Buttercup Games dataset editor page, click Add Dataset and select Child.
    This opens an editor window, Add Child Dataset.
  2. On the Add Child Dataset page, for Dataset Name type Successful Purchases.
  3. The Dataset ID field should show Successful_Purchases. For this tutorial, you are not going to change the Dataset ID. Similar the Dataset ID for the root dataset, the ID cannot be changed after you save the dataset.
  4. For Inherit From select Purchase Requests from the list.
    This setting tells the child dataset which parent dataset to inherit the fields and constraints from.
  5. In the Additional Constraints field, type status=200.
    This status code is for successful purchases. The search for the events in this dataset will look something like this:

    sourcetype=access_* action=purchase status=200

  6. Optional. You can click Preview to see the events that are returned.
  7. Click Save.
    The Buttercup Games dataset editor page shows that the Successful Purchases child dataset is added to the Purchase Requests root dataset.
  8. 7.0 dmtutorial child dataset.png

Add a second child dataset

  1. In the Buttercup Games dataset editor page, click Add Dataset and select Child.
  2. On the Add Child Dataset page, for Dataset Name type Failed Purchases.
  3. The Dataset ID field should show Failed_Purchases. For this tutorial, you are not going to change the Dataset ID.
  4. For Inherit From, make sure that Purchase Requests is selected.
  5. In the Additional Constraints field, type status=40* OR status=50*.
    This status code is for server or system errors, which result in failed purchases. The search for the events in this dataset will look something like this:

    sourcetype=access_* action=purchase status=40* OR status=50*

  6. Optional. You can click Preview to see the events that are returned.
  7. 7.0 dmtutorial child2 dataset.png

  8. Click Save.

Next steps

Now that you've created data models, you can generate pivot reports. Continue to the next chapter to learn about Pivot and how to create pivot reports.

Last modified on 16 February, 2018
Edit fields list   About Pivot

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters