As Splunkers know, searching and reporting in Splunk Enterprise are quick and powerful tools for extracting valuable insights from your data. How are you maximizing your searching and reporting abilities?
That’s where the Splunk Data Model comes in. Splunk Data Models can take your searches—and their efficiency—to the next level. Let’s walk through how we do this…
Why You Should Use Data Models
One advantage of Data Models is the ability to combine various sourcetypes into a common model by utilizing field aliases. While vendors such as Cisco, Juniper, and Palo Alto may develop products with similar roles, their devices often log in different formats. The Splunk Data Models in the Splunk Common Information Model (CIM) utilize common field names for searching events regardless of the original vendor or format. A Splunk Add-on for any proprietary log format may comply with the CIM by defining field aliases and tags. The CIM Data Models then pull in the logs from various vendors and sourcetypes by utilizing a simple Splunk query with the appropriate tags.
The Database Data Model from the Common Information Model includes any events tagged “database” and stored in an index included in the configurable cim_Databases_indexes macro.
When particular reports are used frequently in Splunk, report acceleration can be useful for improving report load time and reducing duplicate indexer activity. Similarly, certain sets of data may be frequently utilized for a variety of reporting. Similar to Report acceleration, Data Model acceleration provides faster search performance and reduces duplicate activity by your indexers. A variety of reports can be run against the accelerated Data Model without pulling the results from your raw logs each time.
Splunk searches extract valuable information from your data, but Splunk Processing Language (SPL) can be hard to learn for some users. Data Models provide a benefit for these users in the form of Pivot searches. Splunk’s Pivot search allows you to search without using an SPL query. You can table results using both column or row splits and statistics functions such as sum or average.
This pivot search can now be converted to many of the standard Splunk visualizations such as a column chart.
Creating a Data Model
The first step in creating a Data Model is to define the root event and root data set. The root data set includes all data possibly needed by any report against the Data Model. For example, the Web Data Model:
Additionally, you can define child data sets so that you can search smaller subsets of your data. For instance, you can search the “proxy” child dataset of the Web Data Model.
After creating one or more datasets, you can then add fields to your Data Model. While entire raw events are stored in your Splunk indexes, Data Models only store the fields you specify. You can add fields from eval expressions, lookups, regular expressions, or automatic field extractions. Your child datasets inherit the fields of their parents while optionally having their own additional fields.
Data Model… Done!
And there you have it! A quick breakdown on Data Models and how they can take your Splunk efficiency to the next level. After defining your root data, child data, and fields – creating your data model gives you a completely new set of eyes on your data. From this lesson, you can take away tips on how to improve search performance and speeding up the report processing time.
Setting up Data Models in Splunk can do wonders on search performance. Kinney Group services can do wonders for your overall Splunk performance. We make Splunk easy for our customers – fill out the form below to learn how.