Module 12: Creating Data Models Flashcards
What is a Pivot use for?
Creating reports and dashboards
As a knowledge manager, what are your responsibilities?
For building the data model that provides the datasets for Pivot
What are Data Models?
Hierarchically structured datasets that generate searches and drive Pivot
What are Pivot reports based on?
They are created based on datasets
How is each event, search or transaction saved when using Data Models?
They are saved as a separate dataset
A data model can consist of 3 types of datasets, what are they?
- events
- searches
- transactions
What does an event dataset contain?
Constraints and fields
What is a constraint when using a data model?
Constraints are essentially the search broken down into a hierarchy. Basically search terms
What are fields in a data model?
Fields are properties associated with the events
True or False: Does each constraint inherit the parent search string?
True
Like constraints, fields are inherited from what object?
The parent object
How do you create a data model?
- Settings
- Data Models
The ID is automatically populated from Title but can be overridden
What do you add if you want to constraints in order to narrow down your search?
You should add child events
What do you click in order to view the events that the constraint returns?
Click the Preview button
How do you add a Root Event?
- Add field
- Auto-Extracted
- The inherited attributes are default fields
When adding fields auto-extracted can?
Can be default fields or manually extracted fields
When adding fields the eval expression is?
A new field based on an expression that you define
When adding fields lookup can?
Leverage an existing lookup table
When adding fields regular expression can?
Extract a new field based on regex
When adding fields Geo IP can?
Add geographical fields such as latitude/longitude, country, etc
What are auto-extracted fields?
Fields that already exist for the constraint can be added as attributes to the data model
What are the field types in data models?
- String: field values are recognized as alpha-numeric
- Number: field values are recognized as numeric
- Boolean: field values are recognized as true/false or 1/0
- IPV4: field values are recognized as IP addresses. This is an important field type, as at least one IPV4 attribute type must be present in the data model in order to add a Geo UP attribute
What are the different options when using the field flags?
- Optional: this field doesn’t have to appear in every event
- Required: only events that contain this field are returned in Pivot
- Hidden: this field is not displayed to Pivot users when they select the dataset in Pivot. Use the hidden option for fields that are only being used to define another field, such as an eval expression
- Hidden&Required: only events that contain this field are returned, and the fields are hidden from use in Pivot
Can you use an eval expression to define a new field?
Yes you can use an eval expression
When adding a lookup as a field, how should you treat them?
Treat them as an automatic lookup
What do you use to test your lookup field?
Use the preview to test your lookup settings and use the events and values tab to verify your results
Can you define a new field using a regular expression?
Yes you can use a regular expression
What do map visualizations require?
Latitude/Longitude fields
When using the Geo IP lookup what must be configured?
At least one IP field must be configured as an IPv4 type
While the map function isn’t available in Pivot, the data model can be called using the?
pivot command and
When you are creating a new child dataset what should you give it?
Give it one or more additional constraints
Child datasets inherit all fields from where?
Parent events and you can add more fields to child datasets
How do you test the data model?
- Click Pivot to access the select a dataset window
- choose an object from the selected data model to begin building the report
True or False: Will the new Pivot window automatically populate with a count of events for the selected dataset?
True
When using fields with Pivots how are the fields associated with each dataset?
As splits for rows or columns
What is another way to filter events in the Pivot interface?
By using fields
What are data model search datasets?
Arbitrary searches that include transforming commands to define the dataset that they represent
Can search datasets also have fields?
Yes they can, by clicking the “Add Field” button
What do data model transaction datasets do?
Enable the creation of datasets that represent transactions. Use fields that have already been added to the model using event or search datasets
True or False: Can you add a transaction to the data model?
True
After adding a transaction to a data model you can then add?
An eval expression or any other field (lookup, regular expression, GeoIP) to your transaction to further define the results.
What are some of the things that you should consider when using Search and Transaction Datasets?
- there must be at least one event or search dataset before adding a transaction dataset
- search and transaction datasets cannot benefit from persistent data model acceleration
- as you learn to create data models, consider the types of reports your users will run
When a data model is created, the owner can determine access based on the following permissions:
- Who can see the data models: owner app all apps - Which users can perform which actions (Read/Write) everyone power user admin-defined roles, if applicable
What should you use the Splunk Web interface for?
- download and upload data models
- backup important data models
- collaborate with other Splunk users to create/modify/test data models
- move data models from a test environment to production instance
An ___ supported browser must be used to download data models
HTML 5
What does data model acceleration do?
- Uses automatically created summaries to speed completion times for pivots
- Takes the form of inverted time-series index file (tsidx) that have been optimized for speed
What happens with persistent data model acceleration?
All fields in the model become “indexed” fields
Only root events can be accelerated. If there are multiple root events, which one gets accelerated?
Only the first root event gets accelerated
You must have one or the either in order to accelerate a data model?
Admin permissions or the accelerate_datamodel capability
Can private data models be accelerated?
No, they cannot be accelerated
Can accelerated data models be edited?
No, accelerated data models cannot be edited
