Add the sample data into Splunk Enterprise 1. Log into Splunk.
If you're not in Splunk Home, click the Splunk logo on the Splunk bar. 2. In the Data panel, click Add data.
The Add data window open, which pro!ide a lit of data type and ource that you can elect from. The tutorial data i a compreed file ource.
3. "nder #r $hooe a Data Source, click From files or directories .
The Data preview dialog bo% open, which let you pre!iew the data before you add it to a Splunk inde%. &or thi tutorial, you do not do thi. To read more about data pre!iew, ee #!er!iew of data pre!iew in pre!iew in the Getting Data In manual. In manual.
4. Select Skip preview and click Continue.
Thi take you to Add new &ield ( directorie !iew, where you tell Splunk how to acce the data ource. . "nder Source, elect !pload and inde" a file and browe for the tutorial data file, tutorialdata.)ip.
The source of a file or directory i the full pathname to the file or directory. #. Select $ore settin%s .
The *ore etting option let you o!erride the default etting for Hot, Source type, and Inde%. &or thi tutorial, you need to modify the hot etting to aign hot name to the e!ent baed on the file' location in the compreed file.
4. Select Skip preview and click Continue.
Thi take you to Add new &ield ( directorie !iew, where you tell Splunk how to acce the data ource. . "nder Source, elect !pload and inde" a file and browe for the tutorial data file, tutorialdata.)ip.
The source of a file or directory i the full pathname to the file or directory. #. Select $ore settin%s .
The *ore etting option let you o!erride the default etting for Hot, Source type, and Inde%. &or thi tutorial, you need to modify the hot etting to aign hot name to the e!ent baed on the file' location in the compreed file.
#.1. Select Se%ment in path from the menu. #.2. Type in 1 for the egment egment number.
&. $lick Save.
A meage appear aying the upload wa ucceful.
'. $lick the Splunk logo on the Splunk bar to return to Home.
The Data panel in Home diplay a ummary of the data you added. If you do not ha!e other data in your Splunk inde%, the data panel look like thi.
The Data panel diplay tatitical data about e!ent inde%ed by the local Splunk +nterprie intance. It how how long ago data wa inde%ed earliet and latet and the !olume of data you ha!e in thi intance.
Data summar( Thi compreed tutorial data include e!ent generated for a fictitiou online game tore, uttercup -ame. There are fi!e hot and eight ource. The e!ent repreent data from three ource type
•
Apache web er!er log Secure er!er log
•
-lobal ale !endor
•
$urrently, the the e%ample in thi tutorial ue the Apache web er!er log. Thi may change in future iteration.
Find the )ookups mana%er 1. In the Splunk bar, on the upper right, click Settin%s.
click Lookups.. 2. "nder *nowled%e, click Lookups
Thi open the Lookup editor where you can create new lookup or edit e%iting one.
/ou /ou can !iew and edit e%iting lookup by clicking on the link in the table for )ookup ta+le files, )ookup definitions, and Automatic lookups.
!pload the lookup ta+le file 1. In the Lookup manager under Action for )ookup ta+le files , click Add new.
Thi take you to the Add new' lookup table file !iew where you upload $S0 file to ue in your definition for field lookup.
2. To a!e your lookup table file in the Search app, lea!e the Detination app a earch. 3. "nder !pload a lookup file, browe for the $S0 file 1price.c!2 to upload. 4. "nder Destination filename, name the file price.c!.
Thi i the name you ue to refer to the file in a lookup definition. . $lick Save.
Thi upload your lookup file to the Search app and return to the lookup table file lit.
,ote- If Splunk doe not recogni)e or cannot upload the file, check that it wa uncompreed before you attempt to upload it again.
Share the lookup ta+le file %lo+all(
If the lookup file i not hared, you can not elect it when you define the lookup. 1. -o to the )ookup ta+le files lit. 2. "nder Sharin% for the price.c! lookup table' ath, click ermissions.
Thi open the ermission dialog bo% for the prices.csv lookup file. 3. "nder /+0ect should appear in , elect All apps.
4. $lick Save.
Add the field lookup definition 1. 3eturn to the Lookup manager. 2. "nder Actions for )ookup definitions, click Add New.
Thi take you to the Add new lookup definition !iew where you define your field lookup.
3. Lea!e the Destination app a search. 4. ,ame your lookup priceslookup. . "nder (pe, elect File+ased.
&ile4baed lookup add field from a tatic table, uually a $S0 file. #. "nder )ookup file, elect prices.csv 1the name of your lookup table2. &. Lea!e Confi%ure time+ased lookup and Advanced options unelected. '. $lick Save.
Thi define price5lookup a a file4baed lookup.
Share the lookup definition with all apps 1. 3eturn to the )ookup definitions lit. 2. "nder Sharin% for priceslookup, click ermissions.
The ermission dialog bo% for the prices.lookup open. 3. "nder /+0ect should appear in , elect All apps.
4. $lick Save.
,avi%ate to the data model mana%ement pa%e Data model are created in 6i!ot. 1. If you're not in Splunk Home, click on the Splunk logo in the Splunk bar to return to ome. 2. "nder the Search 5 6eportin% app, click ivot.
Thi take you to the Select a Data $odel page. Thi page e%it to enable 6i!ot uer to chooe the data model they wih to ue to create a pi!ot.
3. 7e%t, click $ana%e Data $odels to bring up the Data *odel management page.
The Data *odel management page i a liting page of data model. It let you manage the
permiion, acceleration, cloning, and remo!al of e%iting data model. It alo let you create new data model.
Create a new data model 1. In the Data $odels management page, click ,ew Data $odel.
Thi open the ,ew Data $odel dialog bo%.
2. +nter the Title uttercup -ame
The Title field accept any character, a well a pace. The !alue you enter here i what appear on the data model liting page. 3. 1#ptional2 +nter the ID Tutorial
If you don't change the ID, it automatically read uttercup5-ame. The ID mut be a uni8ue identifier for the data model. It cannot contain pace or any character that aren't alphanumeric, undercore, or hyphen 1a4), A49, :4;, 5, or 42. Space between character are alo not allowed. #nce you define the data model ID, you can't change it. 4. Select the Search ( 3eporting App from the menu. . 1#ptional2 +nter the Decription +nable data analyi and reporting for tutorial data. #. $lick Create to open the uttercup -ame Edit /+0ects page.
Thi page let you create ob
Edit data model o+0ects 1. &rom the Data $odels lit, click 7uttercup 8ames .
Thi open the uttercup -ame ob
"e the +dit #b
Add a root o+0ect Data model are typically compoed of ob
1. To define the data model' firt e!ent bae ob
/our firt root ob
Thi take you to the Add Event /+0ect editor.
3. +nter the #b
The /+0ect ,ame field can accept any character, a well a pace. It' what you'll ee on the $hooe an #b
Thi hould automatically populate when you type in the #b
Thi define the web acce page re8uet that are purchae e!ent. After you pro!ide Constraints for the e!ent bae ob
#. $lick Save.
The lit of attribute for the root ob
Add automaticall( e"tracted attri+utes 1. In the 7uttercup 8ames ob
2. Select AutoE"tracted .
The Add AutoE"tracted Field window open.
The Autoe"tract attribute type i a field that Splunk e%tract at search time. It can be a field that Splunk auto4e%tract out of the bo% 1uch a a default field2 or an e%traction that you ha!e defined in *anager or configured in props.conf and transforms.conf. 2. Scroll through the lit of automatically e%tracted field and check the action, categoryId, productId, and status field.
&or the field status , under (pe, make ure the data type i ,um+er and you can lea!e it a /ptional. #b
3. $lick Save.
Add lookup attri+utes from lookup ta+les $reating a lookup attribute re8uire at leat one lookup definition defined in the Lookup manager. The lookup definition tell Splunk where the lookup table i and how to connect to it. #nce the lookup definition i in place, Splunk can match the !alue of the attribute you chooe to !alue of a field in the lookup table and then return correponding field=!alue combination and apply them to your ob
Alo, lookup attribute are added from lookup definition that are not auto!atic. If you define an automatic lookup, then the field will already be added to the e!ent. In thi cae, they would appear in the lit of automatically e%tracted attribute.
1. In the 7uttercup 8ames ob
2. Select )ookup from the lit of attribute option.
Thi open the Edit Attri+utes with a )ookup page.
3. Select the Lookup Table, pricelookup.
The price5lookup file ha decripti!e product name and price for each of the item old on the uttercup -ame webite. /ou need to configure a lookup attribute to add thoe field to the 6urchae 3e8uet ob
,*ediocre ?ingdom,@.;;,>;.;;,A
4. "nder :nput, elect productId for the Field in lookup and Attri+ute.
The Field in )ookup i the name of the field ued in the c! lookup table. The Attri+ute i the name of the field ued in the e!ent data. . "nder /utput, elect the productname and price field. #. &or productname , enter the Displa( ,ame product7ame.
&. $lick review to ee a ample of e!ent and field !alue that match thee lookup attribute contraint.
'. $lick Save.
Add a child o+0ect 1. In the 7uttercup 8ames ob
Thi open an editor window, Add $hild #b
2. +nter the #b
Thi mean that thi child ob
Thi mean that the earch for the e!ent in thi ob
#. $lick Save.
Add a second child o+0ect &ollow tep >4B to add another child ob
ivot views /ou can acce 6i!ot from Splunk Home by electing ivot from the Search 5 6eportin% app workpace.
+ntering 6i!ot take you to the Select a Data $odel page, where you hould ee a lit of the data model if any ha!e been created. &or e%ample, thi lit include the 7uttercup 8ames data model that you created earlier in thi tutorial. It alo include two ample data model that track Splunk +nterprie internal and audit log.
If you click on a data model, it take you to the Select an /+0ect page, which lit all the ob
/ou can click the arrow to how=hide the contraint and attribute aociated with each ob
Components of ivot In the data model Select an /+0ect !iew, electing an ob
•
•
Save as...- Sa!e the current report a a new one 1 6eport2 or a a dahboard panel 1Dash+oard anel2. Clear- 3eet the interface to it initial tate, which will dimi the a!ed report 1if applicable2, change the !iuali)ation type to Statitic Table, and populate the report with a ingle $olumn 0alue for the count of the ob
>o+ Action 7ar- Thee button control the progre of the pi!ot
Create a new ivot Chen you et out to deign a report, you firt need to elect a data model that repreent the broad category of e!ent data that you want to work with. &or thi tutorial, that data model i the uttercup -ame. 1. &rom the app na!igation bar, elect 6i!ot to enter the Select a Data $odel page. 2. In the data model lit, click 7uttercup 8ames.
Thi take you to the Select an /+0ect page.
The uttercup -ame data model ha a root ob
Thi open a ,ew ivot editor for the 6urchae 3e8uet ob
y default, the 6i!ot +ditor interface diplay element to define a pi!ot table. There are four baic pi!ot element categorie &ilter, Split 3ow, Split $olumn, and $olumn 0alue. Chen you firt open the 6i!ot +ditor for a pecific ob
A time range &ilter element 1et to All time2.
•
A $olumn 0alue element 1et to $ount of ob
Thi gi!e you the ingle !alue, which i the total count of e!ent returned by the ob
•
y default, the time range filter element i et to All time. Single !alue !iuali)ation 1ingle !alue, the three gauge type2 ue the firt column !alue element to get their ingle !alue. Here, it' $ount of 6urchae 3e8uet.
•
Single !alue !iuali)ation do not ue Split 3ow or Split $olumn element.
•
Save the ivot as a report After you define a pi!ot, you can a!e it a either a report or a dahboard panel. In thi e%ample, you will a!e the ingle !alue diplay a a report. Dahboard and dahboard panel will be dicued in a later chapter. 1. $lick Save As... and elect 6eport.
The Save as 6eport dialog bo% open. 2. +nter a Title Total 6urchae 3e8uet and Decription 1optional2.
3. Select ?es to include the time range picker. 1Thi hould be the default.2 4. $lick Save.
After the report a!e, a window diplay that /our report ha been created. /ou can continue editing the current 6i!ot, add the pi!ot to a dahboard, change additional etting for the a!ed report, or !iew the report. . $loe the dialog bo%.
A report that i created from 6i!ot will alway be a!ed under the current app and owner namepace. 1. $lick 6eports in the app na!igation bar to !iew the lit of all a!ed report.
2. $lick otal urchase 6e9uests to !iew the report.
Define a new ivot 1. &rom the app na!igation bar, elect 6i!ot to enter the Select a Data *odel page.
2. $hooe the 7uttercup 8ames data model and elect the Successful urchases child ob
The ,ew ivot editor for Successful urchases open.
Add pivot elements /ou can add multiple element from each pi!ot element category to define your pi!ot table. It' eay to add, define, and remo!e pi!ot element in the proce of determining what information your table hould pro!ide.
•
•
•
•
o add a pivot element- $lick the F icon. Thi open up the element dialog, where you chooe an attribute and then define how the element ue that attribute. o inspect or edit an element- $lick the pencil icon on the element. Thi open the element dialog. o reorder and transfer pivot elements- Drag and drop an element within it pi!ot element category to reorder it. Drag and drop element between element categorie to tranfer them. o remove pivot elements from the ivot Editor- #pen it element dialog and click the 6emove button, or drag the element up or down until it turn red and drop it.
"nder Filters, the time filter i alway preent when you build a pi!otG you cannot remo!e it. It define the time range for which the pi!ot return reult. It operate e%actly like the time range menu that i in ue throughout Splunk Ceb. &or more information, ee Select time range to apply to your earch in the Search *anual. $urrently your 6i!ot table how a ingle !alue, the total count of Succeful 6urchae o!er All time. $hange the time filter to !iew the Succeful 6urchae o!er a different time range
1. "nder &ilter, click the pencil ne%t to All time to open the time range picker. 2. "nder resets and 6elative, click Lat day.
1If thi how no e!ent, you can elect All time and continue.2
Add 6i!ot element to ee the $ount of Succeful 6urchae for each product by name 1. "nder Split 6ows, click @ and elect productName, the lookup field that contain the name of each product, baed on the productId.
Thi open a dialog bo% that let you format the field.
2. 3ename the field, roduct ,ame and $lick Add o a+le.
Add another column to the table, to alo diplay the price field 1. "nder Split 3ow, click @ and elect price. 2. 3ename the field, rice and elect Add To Table.
Add a Column
In the dialog bo%, format the field
2. +nter the label otals. 3. Select the 0alue Sum. 4. $lick Add o a+le.
Save the pivot ta+le Sa!e the pi!ot table a a report named urchases +( roduct . 1. $lick Save as and elect 6eport .
In the Save as 6eport dialog bo%
2. +nter the itle 6urchae by 6roduct. 3. 1#ptional2 Add the Description Table of 6roduct 6urchae. 4. Include a ime 6an%e icker. . $lick Save. #. $loe the ?our 6eport as 7een Created dialog bo%.
Define a new ivot 1. &rom the app na!igation bar, elect 6i!ot to enter the Select a Data *odel page.
2. $hooe the 7uttercup 8ames data model and elect the Successful urchases child ob
The ,ew ivot editor for Successful urchases open.
0iuali)ation type are lited in the black idebar that run down the left4hand ide of the 6i!ot editor. y default, the tatitic table !iuali)ation i elected when you enter 6i!ot. It can be helpful to begin building your pi!ot a a table and then witch o!er to the !iuali)ation of your choice. Chen you witch between pi!ot !iuali)ation type, 6i!ot will
find the element it need to create the !iuali)ation, dicard the element it doen't need, and notify you when needed element need to be defined. Thi applie when you're witching between table and chart a well a between chart type.
Add pivot elements In the lat topic, we looked at purchae by product ID and name. 7ow, let' report on the count of ucceful purchae by category. Add a Split 6ow for the categoryId field. 1. "nder Split 3ow, click @ and elect categoryId from the lit.
2. +nter the label Cate%or( and click Add to ta+le.
Thi return the following 6i!ot table.
$hange the !iuali)ation type 1. $lick the Column Chart icon from the !iuali)ation bar.
The ,ew ivot editor for the $olumn chart appear.
$olumn chart ue the firt plit row element in pi!ot table definition to pro!ide their a"is !alue. In thi cae, that Split 6ow i Cate%or( . $olumn chart ue the firt column !alue element in pi!ot table definition to pro!ide their ? a"is !alue. Here, that Column
Thi data can alo be !iuali)ed a a pie chart. 2. $lick the ie Chart icon from the !iuali)ation bar
6ie chart ue the !alue from the firt Split 6ow element 1$ategory2 to determine the number and color of their lice. 6ie chart ue the firt Column
*oueo!er a lice of the pie chart to !iew the metric $ategory, $ount of Succeful 6urchae, and percentage of the total $ount of Succeful 6urchae.
Save a ivot as a dash+oard panel /ou
Thi open the Save as Dash+oard anel dialogue.
2. Define a new dahboard to a!e the panel to • •
&or Dash+oard, click ,ew. +nter the Dash+oard itle- uttercup -ame. The Dash+oard :D will update with uttercup5game.
•
1#ptional2 Add a Dash+oard Description- 3eport on uttercup -ame online hop data.
3. Define the dahboard panel • •
+nter the anel itle- Succeful 6urchae by $ategory Lea!e the anel owered 7? a Inline earch.
4. $lick Sa!e.
The dahboard wa uccefully created. 7ow, let' take a look at it and add more panel to the dahboard. . To continue, click
Thi take you to the Dash+oards liting page.
/ou can Create a new dash+oard and edit e%iting dahboard. /ou ee the 7uttercup 8ames dahboard you
There are alo 8uick link to edit the dahboard' Schedule and 6ermiion inline with the information. To !iew the dahboard, click the dahboard' itle or elect the Edit option under Actions. ,ote- If you click to !iew a dahboard and you cannot !iew it 1or it diplay blank2, check that you ha!e read acce to the data model. To do thi, go to the $ana%e Data $odels !iew and edit the 6ermiion for the 7uttercup 8ames data model to hare in the App.
Add an input to the dash+oard 1. 3eturn to the 7uttercup 8ames dahboard. 2. $lick Edit and elect Edit anels.
The Edit- 7uttercup 8ames !iew open.
In thi !iew, you ha!e edit button Add Input, Add 6anel, and +dit Source.
2. $lick Add :nput and elect ime.
Thi add a time range picker to the dahboard editor.
4. $lick Done.
The time range picker let you retrict all the inline earche that power the panel to the ame time range.
Add a saved report to the dash+oard Add another panel uing one of the a!ed report you created earlier. 1. 3eturn to the 7uttercup 8ames dahboard. 2. $lick Edit and elect Edit anels. 3. In the Edit- 7uttercup 8ames !iew, click Add anel.
The Add anel dialog bo% open.
4. +nter the Content itle, Total 6urchae 3e8uet. . &or Content (pe , click 3eport. #. &rom lit of a!ed report, elect otal urchase 6e9uest .
&. $lick Add anel.
7ow you're returned to the dahboard editor page, and you hould ee two panel. Chile in the dahboard editor !iew, you can drag and drop a panel to rearrange it on the dahboard. '. *o!e the ingle !alue diplay o that it i ne%t to the pie chart. B. $lick Done.
/our dahboard hould look like thi
Add another panel to the dash+oard 1. &ollow Step > to ; to add the pi!ot table you a!ed a urchases +( roduct to the dahboard. 2. 3earrange the dahboard panel o that the completed dahboard look like thi
