Data Model in Splunk (Part-II)
Hei Welcome back once again, in this series of “Data Model in Splunk” we will try to cover all possible aspects of data models.
In the previous blog, “Data Model In Splunk (Part-I)” we have discussed the basics and functions of data models, and we started creating a new data model named “Zomato”. We have already created an “Event Root data set” named “continent”.
Today we will create a child data set named “Asia” under the parent data set “continent”. Where we will only filter data related “asia subcontinent” among all.
So without wasting any time let’s get to the business end.
Create a child data set :
Currently, my data model looks like this,
Now I will click on “Add Dataset” and “Child”
Dataset Name: <Mention name of the child dataset>
Additional Constraints: <mention the search query which will fetch the required information we need for the data model. Here we have mentioned the name “continent=Asia”, we don’t need to put the complete query because it’s a child data set.>
Inherit From: <select the parent dat set name>
Click on Save
And it will look like this,
Result:
As you can see all the extracted fields from the parent data set have already been added to the child data set also. Now if I access the pivot of this child data set then you can see it’s working smoothly.
As you can see here you can see all the restaurants listed in Asia.
Create Search root dataset :
Now we will create a “Search root dataset” named “Cuisines”. The only difference between “root event” and “root search” is that the query of the “root search” dataset will be much more complex and it will consist of pipes.
So let’s take an example, in our data we have a field called “Cuisines”.
Here as you can see all the cuisines available in one restaurant are separated by a comma (“,”). But we want to get all the distinct names of cuisines based on Restaurant. So we have prepared a query like this.
index=main source="zomato.csv" "Country Code"=*
| stats count by Cuisines City "Restaurant Name"
| eval Cuisines=split(Cuisines,", ")
| mvexpand Cuisines
| fields - count |dedup Cuisines City "Restaurant Name"
Now we want to replicate this data in our data model, by creating a “root search dataset”.
Dataset Name: <name of the root dataset>
Search String: <enter the search string>
After that, You can even click on the search button to check if the given search string is working or not.
Then click on Save.
As soon as you save it, you need to add fields in the data set.
As you can see in the list it’s only showing “City” and “Restaurant Name”, “Cuisines” is not showing. It’s absolutely normal this can happen. If this kind of thing is also happening with you then you need to add using “Eval expression”. I will show that in the next step.
Here as you can see we are just adding “City”, not “Restaurant Name” because you can’t add any field having whitespace. This one also we will add using “Eval Expression”.
Save it and click on “Add Field” and “Eval expression”.
We will add “Cuisines“ and “Restaurant Name” one by one.
Finally, it will look like this.
Result:
To verify it’s working or not, try to access pivot.
We are signing off for today with “Data Model in Splunk (Part-II)”. In the next blog of this data model series, we will discuss the usage and functions of the Pivot table.
Happy Splunking!!
