Data Models for Splunk: A Mini-Guide
In this mini-guide, we will learn what are data models, how to get started with a data model, and quick introduction on the relationship between data models and the Pivot tool. And of course, resources will be added to help you on your Splunk journey.
What are Data Models?
Data models are made of hierarchical datasets. There are also specific types of root datasets—events, searches, and transactions Think of a dataset as a collection of data that you can specify to explore during a search. To further explain, datasets can be thought of in a tree-like structure where there are parent datasets and child datasets; child datasets will inherit traits such as fields from their parent dataset.
Overall, data models are a great way to group similar data together.
To explore Datasets, go to Search and Reporting > Data Models. Click the arrow to reveal more about the dataset. Next to Datasets, click Edit.
In the example below, we can see Alerts is a child dataset of Scheduler.
Example of Hierarchial Tree-like Structure (for visualization):
Data Models and Pivot
So to reiterate, data models group similar data together. In order to present data in a specific fashion, we may use Pivot. Specifically, knowledge managers utilize Pivot (which utilizes those data sets in data models) to create reports, dashboards, and visualizations. Another advantage to Pivot is that the knowledge manager does not have to know SPL to work with the data.
领英推荐
Create a Data Model
This section will introduce you on where to find So thankfully, Splunk has a few videos already listed on how to create a data model and add data sets. However, I'll show you how to start.
To create a Data Model, go to Settings > Data Model.
Click New Data Model.
Name your Data Model. Click Create.
Now, you'll see that your data model has no datasets.
To find out how to add data sets, check out Splunk's Course Catalog: https://www.splunk.com/en_us/training/course-catalog.html and search for "Data Models".
Remember, to create your data sets, you will want to create your parent or "root" dataset first, and then you will create your child datasets.