Creating a data model

So now that we have a general idea of what a Splunk data model is, let's go ahead and create one. Before we can get started, we need to verify that our user ID is set up with the proper access required to create a data model. By default, only users with the admin or a power role can create data models. For other users, the ability to create a data model depends on whether their roles have write access to an app.

To begin (once you have verified that you do have the access to create a data model), you can click on Settings and then Data models (under KNOWLEDGE):

This takes you to the Data Models (management) page (shown in the next screenshot). This is where a list of data models is displayed. From here, you can manage the permissions, acceleration, cloning, and removal of existing data models. You can also use this page to upload a data model or create new data models, using the Upload Data Model and New Data Model buttons in the upper-right corner, respectively.

Since this is a new data model, you can click on the button labeled New Data Model. This will open the New Data Model dialog box (shown in the following image). We can fill in the required information in this dialog box:

Filling in the new data model dialog

You have four fields to fill in order to describe your new Splunk data model: Title, ID, App, and Description:

• Title: here you must enter a Title for your data model. This field accepts any character, as well as spaces. The value you enter here is what will appear on the data model listing page.
• ID: this is an optional field. It gets prepopulated with what you entered for your data model title (with any spaces replaced with underscores. Take a minute to make sure you have a good one, since once you enter the data model ID, you can't change it.
• App: Here you select (from a drop-down list) the Splunk app that your data model will serve.
• Description: the description is also an optional field, but I recommend adding something descriptive to later identify your data model.

Once you have filled in these fields, you can click the button labeled Create. This opens the data model (in our example, Aviation Games) in the Splunk Edit Objects page (shown in the following screenshot).

The next step in defining a data model is to add the first object. As we have already stated, data models are typically composed of object hierarchies built on root event objects. Each root event object represents a set of data that is defined by a constraint, which is a simple search that filters out events that are not relevant to the object.

Getting back to our example, let's create an object for our data model to track purchase requests on our Aviation Games website.

To define our first event-based object, click Add Object (as shown in the following screenshot):

Our data model's first object can either be a Root Event, or Root Search. We're going to add a Root Event, so select Root Event. This will take you to the Add Event Object editor:

Our example event will expose events that contain the phrase error which represents processing errors that have occurred within our data source. So for the Object Name, we will enter Processing Errors.

The Object ID will automatically populate when you type in the Object Name (you can edit it if you want to change it). For our object's constraint, we'll enter sourcetype=tm1* error. This constraint defines the events that will be reported on (all events that contain the phrase error that are indexed in the data sources starting with tml). After providing Constraints for the event-based object, you can click Preview to test whether the constraints you've supplied return the kind of events that you want.

The following screenshot depicts the preview of the constraints given in this example:

After reviewing the output, Click Save. The list of attributes for our root object are displayed: host, source, sourcetype, and _time. If you want to add child objects to client and server errors, you need to edit the attributes list to include additional attributes:

Editing attributes

Let's add an auto-extracted attribute, as mentioned earlier in this chapter, to our data model. Remember, auto-extracted attributes are derived by Splunk at search time. To start, click Add Attribute:

Next, select Auto-Extracted. The Add Auto-Extracted Field window opens:

You can scroll through the list of automatically extracted fields and check the fields that you want to include. Since my data model example deals with errors that occurred, I've selected date_mday, date_month, and date_year.

Notice that to the right of the field list, you have the opportunity to rename and type set each of the fields that you selected. Rename is self-explanatory, but for type, Splunk allows you to select String, Number, Boolean, or IPV$ and indicate if the attribute is Required, Optional, Hidden, or Hidden & Required. Optional means that the attribute doesn't have to appear in every event represented by the object. The attribute may appear in some of the object events and not others.

Once you have reviewed your selected field types, Click Save.