Module 12: Creating Data Models

Question 1

What is a Pivot use for?

Answer 1

Creating reports and dashboards

Question 2

As a knowledge manager, what are your responsibilities?

Answer 2

For building the data model that provides the datasets for Pivot

Question 3

What are Data Models?

Answer 3

Hierarchically structured datasets that generate searches and drive Pivot

Question 4

What are Pivot reports based on?

Answer 4

They are created based on datasets

Question 5

How is each event, search or transaction saved when using Data Models?

Answer 5

They are saved as a separate dataset

Question 6

A data model can consist of 3 types of datasets, what are they?

Answer 6

• events
• searches
• transactions

Question 7

What does an event dataset contain?

Answer 7

Constraints and fields

Question 8

What is a constraint when using a data model?

Answer 8

Constraints are essentially the search broken down into a hierarchy. Basically search terms

Question 9

What are fields in a data model?

Answer 9

Fields are properties associated with the events

Question 10

True or False: Does each constraint inherit the parent search string?

Answer 10

True

Question 11

Like constraints, fields are inherited from what object?

Answer 11

The parent object

Question 12

How do you create a data model?

Answer 12

• Settings
• Data Models
  The ID is automatically populated from Title but can be overridden

Question 13

What do you add if you want to constraints in order to narrow down your search?

Answer 13

You should add child events

Question 14

What do you click in order to view the events that the constraint returns?

Answer 14

Click the Preview button

Question 15

How do you add a Root Event?

Answer 15

• Add field
• Auto-Extracted
• The inherited attributes are default fields

Question 16

When adding fields auto-extracted can?

Answer 16

Can be default fields or manually extracted fields

Question 17

When adding fields the eval expression is?

Answer 17

A new field based on an expression that you define

Question 18

When adding fields lookup can?

Answer 18

Leverage an existing lookup table

Question 19

When adding fields regular expression can?

Answer 19

Extract a new field based on regex

Question 20

When adding fields Geo IP can?

Answer 20

Add geographical fields such as latitude/longitude, country, etc

Question 21

What are auto-extracted fields?

Answer 21

Fields that already exist for the constraint can be added as attributes to the data model

Question 22

What are the field types in data models?

Answer 22

• String: field values are recognized as alpha-numeric
• Number: field values are recognized as numeric
• Boolean: field values are recognized as true/false or 1/0
• IPV4: field values are recognized as IP addresses. This is an important field type, as at least one IPV4 attribute type must be present in the data model in order to add a Geo UP attribute

Question 23

What are the different options when using the field flags?

Answer 23

• Optional: this field doesn’t have to appear in every event
• Required: only events that contain this field are returned in Pivot
• Hidden: this field is not displayed to Pivot users when they select the dataset in Pivot. Use the hidden option for fields that are only being used to define another field, such as an eval expression
• Hidden&Required: only events that contain this field are returned, and the fields are hidden from use in Pivot

Question 24

Can you use an eval expression to define a new field?

Answer 24

Yes you can use an eval expression

Question 25

When adding a lookup as a field, how should you treat them?

Answer 25

Treat them as an automatic lookup

Question 26

What do you use to test your lookup field?

Answer 26

Use the preview to test your lookup settings and use the events and values tab to verify your results

Question 27

Can you define a new field using a regular expression?

Answer 27

Yes you can use a regular expression

Question 28

What do map visualizations require?

Answer 28

Latitude/Longitude fields

Question 29

When using the Geo IP lookup what must be configured?

Answer 29

At least one IP field must be configured as an IPv4 type

Question 30

While the map function isn't available in Pivot, the data model can be called using the?

Answer 30

| pivot command and

Question 31

When you are creating a new child dataset what should you give it?

Answer 31

Give it one or more additional constraints

Question 32

Child datasets inherit all fields from where?

Answer 32

Parent events and you can add more fields to child datasets

Question 33

How do you test the data model?

Answer 33

- Click Pivot to access the select a dataset window | - choose an object from the selected data model to begin building the report

Question 34

True or False: Will the new Pivot window automatically populate with a count of events for the selected dataset?

Answer 34

True

Question 35

When using fields with Pivots how are the fields associated with each dataset?

Answer 35

As splits for rows or columns

Question 36

What is another way to filter events in the Pivot interface?

Answer 36

By using fields

Question 37

What are data model search datasets?

Answer 37

Arbitrary searches that include transforming commands to define the dataset that they represent

Question 38

Can search datasets also have fields?

Answer 38

Yes they can, by clicking the "Add Field" button

Question 39

What do data model transaction datasets do?

Answer 39

Enable the creation of datasets that represent transactions. Use fields that have already been added to the model using event or search datasets

Question 40

True or False: Can you add a transaction to the data model?

Answer 40

True

Question 41

After adding a transaction to a data model you can then add?

Answer 41

An eval expression or any other field (lookup, regular expression, GeoIP) to your transaction to further define the results.

Question 42

What are some of the things that you should consider when using Search and Transaction Datasets?

Answer 42

- there must be at least one event or search dataset before adding a transaction dataset - search and transaction datasets cannot benefit from persistent data model acceleration - as you learn to create data models, consider the types of reports your users will run

Question 43

When a data model is created, the owner can determine access based on the following permissions:

Answer 43

``` - Who can see the data models: owner app all apps - Which users can perform which actions (Read/Write) everyone power user admin-defined roles, if applicable ```

Question 44

What should you use the Splunk Web interface for?

Answer 44

- download and upload data models - backup important data models - collaborate with other Splunk users to create/modify/test data models - move data models from a test environment to production instance

Question 45

An ___ supported browser must be used to download data models

Answer 45

HTML 5

Question 46

What does data model acceleration do?

Answer 46

- Uses automatically created summaries to speed completion times for pivots - Takes the form of inverted time-series index file (tsidx) that have been optimized for speed

Question 47

What happens with persistent data model acceleration?

Answer 47

All fields in the model become "indexed" fields

Question 48

Only root events can be accelerated. If there are multiple root events, which one gets accelerated?

Answer 48

Only the first root event gets accelerated

Question 49

You must have one or the either in order to accelerate a data model?

Answer 49

Admin permissions or the accelerate_datamodel capability

Question 50

Can private data models be accelerated?

Answer 50

No, they cannot be accelerated

Question 51

Can accelerated data models be edited?

Answer 51

No, accelerated data models cannot be edited