Create Splunk Data Model

create splunk datamodel
create splunk datamodel

In this blog we are going to discuss how we can create splunk data model step by step, if you are looking ahead to understand how splunk data model works click here.

Part 1: Steps to create splunk data model:

1) Go to Settings -> Click on Data models.

create splunk data model

2) Click on “New Data Model”.

Create Splunk Data Model

3) Give the Name to the data model.

Create Splunk Data Model

4) Click on “Add Dataset” and select “Root Event“.

Create Splunk Data Model

5) Give dataset a name and add the constraints i.e. index and sourcetype’s to be used -> click on save.

Create Splunk Data Model

6) Then Again click on “Add dataset” and select “child”.

Create Splunk Data Model

7) Give the child dataset a name and add the constraints and save.

Create Splunk Data Model

8) Now Select the parent dataset and click on “Add fields” and select “Auto –Extracted”.

Create Splunk Data Model

9) Select the field you want to add and click on Save.

Create Splunk Data Model

10) Now click on Edit at the top and select “Edit Acceleration”.

Create Splunk Data Model

NOTE : Now change the permissions of the data model and save it.

11) Now again click on Edit at the top and select “Edit Acceleration” -> click on Accelerate and change the time range and define the range for which the data needs to be collected. -> click on save.

Create Splunk Data Model

NOTE : The Data Model cannot be edited because it is accelerated. To edit it you have to first disable it.

12) To check whether the data model is created properly or not open a search and type command –

| datamodel <datamodel_name>

13) To use the datamodel fields and constraints use tstats command –

| tstats summariesonly=true from datamodel=<datamodel_name> by <parent_name>.<field_name> 

Part 2: Enable roles to create splunk data models

By default, only an administrator or a user with the power role can create a data model. For other users, the ability to create a data model depends on whether their role has “write access” to the app. Follow these steps to grant write access to your app to another role.

  1. Click the Apps drop-down menu at the top of the page and select Manage apps to go to the Apps page.
  2. Apps page, find the app you want to grant permissions for creating the data model and click Permissions.
  3. App Permissions page, select Write as the role that allows you to create a data model for your app.
  4. Click on Save.

Single Steps to follow Rebuild/Upload/Download/Delete:

1. Rebuild a summary for an accelerated data model

If you suspect that data loss was caused by a system crash or similar accident, we recommend that you recreate the data model summary. When you recreate the summary, the Splunk software deletes and recreates the entire acceleration summary for that data model. This can take a long time if the summary is large.

NOTE: Splunk automatically rebuilds the summary when you turn it off and then back on.

  1. In Splunk Web, go to the data model management page.
  2. Search the accelerated data model that needs to be reconstructed and expand that row.
  3. Click on Rebuild, The summary will be reconstructed.
  4. Check the status of the summary to see when it will end.

2. Upload a splunk data model

  1. Go to the data model management page.
  2. Click Upload Data Model.
  3. Identify the JSON file you want to upload.
  4. Change the data model ID to a new unique value. Note that you cannot change this ID after you save the data model file on your system.
  5. Enter the name of the app to which your data model belongs.
  6. Click Upload to upload the data model. If the uploaded data model passes the validation, it will appear in the list on the data model management page.

3. Download a splunk data model

  1. Open the data model in the data model editor.
  2. Click the Download button in the upper right.

3. Delete a splunk data model

  1. In the Search & Reporting app, click Datasets to open the dataset list page.
  2. Find the data model dataset that belongs to the dataset you want to delete.
  3. Select Manage> Edit Record. Delete the data model.

If you are still facing issue regarding create splunk data model Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking>.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

datamodel in splunk

Data Model in Splunk

types of splunk commands

Types of Splunk Commands