Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Dataset extension

Dataset extension is a way to create a search, report, dataset, or other object that is built upon a reference to an existing dataset. This reference means that the object always refers to the original dataset for its foundational data. If the definition of the original dataset changes, those changes are passed down to any datasets that extend it.

Dataset extension is not the same as dataset cloning. When you clone a dataset, you create a distinct, individual dataset that is identical to the original dataset but not otherwise connected to it. When you extend a dataset, you create a dataset, report, dashboard panel, or alert that is bound to the original dataset through its reference to that dataset.

Example of extending a dataset as a report

For example, you have a dataset named Alpha. If you select Explore > Investigate in Search on the Datasets listing page for the Alpha dataset, you go to the Search view and run a search that displays the contents of Alpha. This search string uses the from command to reference Alpha. You can optionally modify the search string with additional Splunk Search Processing Language (SPL).

If you save this search string as a report named Beta, it will still have the reference back to Alpha. This means that if someone decides to make a change to Alpha, that change cascades down to the Beta report. This might cause problems in the Beta report.

For example, you might modify the search string of the Beta report with lookups and eval expressions that use fields passed down from the Alpha dataset in their definitions. If someone deletes those fields from the Alpha dataset, those lookups and eval expressions will break in the Beta report, because they require fields that no longer exist.

Dataset extension chains

If you have the Splunk Datasets Add-on installed, you can extend any dataset as a table dataset. This means that you can have chains of extended datasets. For example you can extend Dataset Alpha as dataset Beta, and then extend dataset Beta as dataset Gamma, and so on. Any change to Alpha will propagate down through the other datasets in the chain.

The Splunk Datasets Add-on enables you to understand dataset extension chains from the end of the chain, but not from the start. So to use the example in the preceding paragraph, if you are on dataset Gamma, you can see that it extends Beta, which in turn extends Alpha. But if you are looking at Alpha, you have no way of knowing which datasets were extended from it.

To learn which datasets a dataset extends

Locate the dataset in the Datasets listing page and expand its row. If it extends one or more datasets, you will find an Extends line item with the extended datasets listed from top to bottom. For example, here is the detail information for Gamma, showing that it extends Alpha and Beta.

This screen image shows the Gamma dataset listing in the Datasets listing page, with its row expanded to display detail information. At the bottom of the list of detail information there is an Extends field with the value Alpha > Beta.

You can also find this information on the viewing page for a dataset. Click More Info to see what datasets the dataset that you are viewing extends.

Use a naming convention for extended datasets

When you are working with a dataset, it is difficult to know what datasets are extended from it. For example, a person working with the Alpha dataset has no way of knowing that it is extended by the Beta and Gamma datasets.

You can manage this by using a naming convention to indicate when a dataset is extended from another. For example, if you extend a dataset from dataset Alpha, you can name it Alpha.Beta. Later, if you extend two datasets from Alpha.Beta, you can name those datasets Alpha.Beta.Gamma and Alpha.Beta.Epsilon. This naming methodology is similar to that of data model datasets, where the dataset name indicates where it lives in a greater hierarchy of data model datasets.
This diagram shows a dataset extension chain. At the start of the chain is a dataset named Alpha. An arrow points to a dataset that has been extended from it. This extended dataset is named Alpha.Beta. Two datasets are extended from Alpha.Beta. One is named Alpha.Beta.Gamma, and the other is named Alpha.Beta.Epsilon.
When you extend a dataset you can update its description to indicate that it has been extended. Identify the knowledge objects that have been directly extended from it, not the full extension chain, if one exists. Add a sentence like this to the dataset description: "This dataset has been extended as a table dataset named <dataset_name> and a report named <report_name>."

The from command

Dataset extension is facilitated by the from command, whether you extend it by opening it in the Search view, or through the Table Editor.

When you open a dataset in the Search view, you see a search string that uses the from command to retrieve data from that dataset. For example, say you have a dataset named Buttercup_Games_Purchases. If, while on the Datasets listing page, you click Explore in Search for that dataset, the Splunk platform takes you to the Search view, where you see this search string:

| from datamodel:"Buttercup_Games_Purchases"

If you work with Splunk Cloud, or work with Splunk Enterprise and have installed the Splunk Datasets Add-on, you can extend any dataset as a table dataset. When you do this, the Table Editor uses the from command in the background. Click the SPL toggle in the command history sidebar to see how the Table Editor uses the from command.

This closeup of the command history sidebar in the Table Editor shows that the initial data for the table dataset is provided by a from command extension of the Buttercup Games Purchases dataset.

This screen image shows a close up of the command history sidebar for the Table Editor. The SPL tab is selected to reveal the search processing language behind the commands. The SPL for the first command begins with "from datamodel:"buttercup_games_purchases".

For more information, see from in the Search Reference.

Extension and table acceleration

If you want to accelerate a table that extends other tables, it needs to be shared, and the tables it extends must be shared as well.

You will not see acceleration benefits when you use from to extend an accelerated table.

You cannot accelerate a table that is extended from a lookup table file or lookup definition. Acceleration can only be applied to datasets that use purely streaming commands. Lookup dataset extension is not a streaming operation.

See Accelerate tables.

Last modified on 29 July, 2020
Use the Table Editor
Accelerate tables

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters