Splunk® Enterprise

Data Model and Pivot Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.
Acrobat logo Download topic as PDF

Load the tutorial data

This topic walks you through downloading the tutorial data set and adding it to . You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.

Download the sample data file

This tutorial uses a fictitious game store, called Buttercup Games, that sells games and related items in an online store.

You must download the compressed data file to use with this tutorial. The compressed data file contains web access log files, secure formatted log files, and sales log files for the Buttercup Games store. The tutorialdata.zip file is updated daily and contains events that are timestamped for the previous 7 days.

Do not uncompress the file.

Add the sample data

  1. Log into your Splunk deployment. If you are not in Splunk Home, click the Splunk logo on the Splunk bar to go to Splunk Home.
  2. Under Explore Splunk Enterprise, click Add data. (Note: If your Splunk deployment is a e-commerce Splunk Cloud deployment, choose Settings and click Add Data. The Add Data option does not appear if your deployment is a managed Splunk Cloud deployment. In this case you must use forwarding to add the tutorial data.) 6.2tutorial explore adddata.png
    The Add Data view displays three options for adding data, lists of common data types, and add-ons you can use to extend Splunk Enterprise's capabilities to add data.

  3. Under "How do you want to add data?", click Upload. 6.2tutorial adddata upload.png

  4. Under Select Source, click Select File to browse for the tutorial data or Drop the data file into the outlined box. 6.2tutorial adddata selectsource.png
    Because the tutorial data file is an archived data file, the next step in the Add Data workflow changes from Set Sourcetype to Input Settings.
  5. Click Next to continue to Input Settings. Under Input Settings, you can override the default settings for Host, Source type, and Index.

  6. Modify the host settings to assign host names using a portion of the path name: 6.2tutorial adddata inputsettings.png
  7. Select Segment in path from the menu.
  8. Type in 1 for the segment number.
  9. Click Next to Review your input settings. 6.2tutorial adddata review.png

  10. Click Submit.
    6.2tutorial adddata done.png

  11. To confirm that the data added successfully, click Start Searching. This opens the Search view and runs a search for the tutorial data source. 6.2tutorial startsearching.png

Next steps

Some of the examples in this tutorial require data from external lookup tables. Now that you have added data to , the next topic walks you through adding the lookup tables.

Last modified on 15 December, 2020
Navigating Splunk Web
Add lookup files

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters