Splunk Enterprise Fundamental Part2 Module2

一、Course content


Creating Data Models

  • Describe the relationship between data models and pivot
  • Identify data model attributes
  • Create a data model
  • Use a data model in pivot


2.1.What is a Data Model ?

  • Describes how underlyingmachine data is represented and accessed
  • Defines meaningful relationships in the data
  • Enables single authoritative view of underlying raw data
  • Allow business user/analyst to create report, dashboard
  • Enable Column based acceleration

2.2.About Data Model Objects

  • Data models are composed of one or more objects
  • Each object is a dataset that corresponds in some manner to a set of data in your index
  • Objects in data models can be arranged in parent/child relationships. Each top-level or root object can have child objects which inherit the constraints and attributes of the parent and have additional constraints and attributes of their own
  • Objects break down into four types
    1、Events objects (can be accelerated persistently)
    2、Search objects (ad-hoc acceleration only)
    3、Transaction objects (ad-hoc acceleration only)

2.3.Create a DM using Instant Pivot


2.4.The Root

  • Root define the events for the model based on condition (constraint)
  • It’s already created based on the search from the instant pivot.

2.5.About Attributes

Define what are the fields available in the the Root according to the user
category of the data model

  • business users are only interested on product and marketing related info but not network status
  • By default, only _time, host, source and sourcetype is available

2.6.Add the Relevant Fields



2.7.Data Enrichment

  • Status type details is not necessary for business users. They only concern if the transaction is successful or failed
  • Use Evaluated expression to generate a business users friendly field on-the-fly

2.8.Transaction Status


2.9.Data Enrichment - Lookup

  • Create the Lookup Definition using prices.csv
    1、Remove the Automatic Lookup if there is
    2、Set the Lookup permission to 'App'
  • Edit the Data Model and add the Lookup field

3.0.Adding DM Lookup



3.1.Hierarchical Constraints

Child object access the events defined by the parent, root in this
example. It can also inherit the parent’s attributes

3.2.Add 2 nd Level Child Objects


3.3.Completed Data Model


3.4.Enable Acceleration

  • Edit the Permission setting
    1、Set the "Display For" to the App
    2、Everyone: Read-Only; admin: Read-Write
  • Edit the acceleration setting
    Enable acceleration and set the summary range reasonably

3.5.Using SPL to access Data Model


3.6.Let's make a report


3.7.tstats: using SPL to access accelerated DM

Comparing to Transparent/Report Acceleration, Creating new report
using different fields inside the accelerated DM does not require to
disable/enable the acceleration

3.8.Accelerated Search

Fields and Values generated on the fly using Eval Expression/Lookup can
be used as well

3.9.Accelerated data: summariesonly=true

By default, tstats retrieves events from accelerated index (tsidx) and normal
index, i.e. summariesonly=false
In Search App, type "|tstats summariesonly=true count from

4.0.Accelerated Only

  • Set the permission of lookup definition to App
  • Rebuild the DM and Wait for 100% complete
  • In Search App, type "|tstats summariesonly=true count from


4.1.A few more on DM Acceleration

  • Summary search happens every 5 minutes
  • If acceleration cannot be completed properly, system will skip and defer it to the next iteration
    If the next search can be completed and clean the backlog, it’s fine. Otherwise, the non-accelerated portion grows,There are different reasons, e.g. maxsearches limit reached, maxAutosummary limit reached,Out of search disk space
  • Parallel summarization is enabled by default since 6.3
    acceleration.max_concurrent = 2

4.2.Performance on Summary search

In ES, the audit tab provides useful information, such as Data Model
Audit, Search Audit