Splunk® Enterprise

Data Model and Pivot Tutorial

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Edit fields list

Add automatically extracted fields

The Auto-extract field type is an extracted field that is recognized automatically (such as a default or indexed field) or a search-time field extraction that you have defined in Splunk Web on the Field Extractions page or, if you are using Splunk Enterprise, by editing the props.conf and transforms.conf files.

  1. In the Buttercup Games dataset editor, click Add Field.
  2. Select Auto-Extracted.
    7.0 dmtutorial fields add.png
  3. The Add Auto-Extracted Field window opens.
    7.0 dmtutorial addfields auto1.png
  4. Scroll through the list of automatically extracted fields and check the following fields:
    • action
    • categoryId
    • productId
    • status

    7.0 dmtutorial addfields auto2.png For each field you check, the data type of the field in displayed. For example, the status field should show Number for the data type.

    You can designate that dataset fields be Required, Optional, Hidden, or Hidden & Required. Optional means that the field does not need to appear in every event represented by the dataset. The field might appear in some of the dataset events and not others. The default is Optional, which is the setting you want for these fields.
  5. Click Save. The fields are added to the dataset under the EXTRACTED field category.

Add lookup fields to the dataset

Creating a lookup field requires at least one lookup definition defined in the Lookups manager. The lookup definition tells Splunk software where the lookup table is and how to connect to it. When the lookup definition is in place, Splunk software can match the values of a field in your events to the values of a field in the lookup table. The corresponding field/value combinations are applied to your dataset as lookup fields.

Prerequisite

The field lookup must be uploaded and defined before you edit the data model dataset. Verify that you added the prices.csv lookup table and defined the price_lookup in Part 1 of this tutorial. See Add lookup files.
If you define an automatic lookup, then the fields are already added to the events. You must then add the lookup fields as automatically extracted fields.

If you do not define an automatic lookup, use the following steps to add the lookup fields to the dataset.

  1. You should still be in the Buttercup Games dataset editor with the Purchase Requests dataset displayed.
  2. Click Add Field and select Lookup.
  3. For Lookup Table, select prices_lookup.
  4. 7.0 dmtutorial lookup table.png

    The prices_lookup file has descriptive product names and prices for each of the items sold on the Buttercup Games website. The lookup table has headers and values like the following sample:

    productId,product_name,price,sale_price,Code

    DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A

    You can specify the input and output fields.

  5. Under Input, for the Field in Lookup the productId should already be selected.
    The Field in Lookup is the name of the field used in the CSV lookup table.
  6. For the Field in Dataset select productId.
    The Field in Dataset is the name of the field used in the event data.
  7. Under Output, check the product_name and price fields.
    The output fields listed are from the header row of the lookup table are listed under Field Names. You can specify a Display Name for each fields. This display name is the name used for the field in your events.
    Because productId is the field used to match between the events and lookup table, you cannot change its display name.
  8. For product_name, in the Display Name field type productName.
  9. For price, in the Display Name field type price. Ensure that the Type is set to Number.
    7.0 dmtutorial datamodel lookupoutput.png
  10. Click Preview to review the fields that you want to add.
    Scroll down to see the preview. Use the Events tabs to view the events in a table. There are also tabs for each of the fields you specified as output fields. In this tutorial you specified productName and prices as the output fields.
  11. 7.0 dmtutorial dm lookuppreview.png

  12. Click Save. The lookup fields are added to the dataset under the CALCULATED field category.
  13. 7.0 dmtutorial dataset fields.png

Next steps

Add child datasets.

Last modified on 16 February, 2018
PREVIOUS
Define a root dataset for the data model
  NEXT
Define child datasets

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters