Chapter 4. Data Models and Pivot
Splunk data models and the Pivot tool are key features that enable users to generate statistical data and charts without the complexity of the Search Processing Language (SPL). A data model is a hierarchical mapping of data based on search results. It is analogous to the concept of schemas in a relational database. The output of the search queries associated with the data model can be visualized as a set of rows and columns in a spreadsheet. The data is further subdivided by attributes, which are essentially extracted fields that are similar to those discussed in Chapter 2, Bringing in Data. Since data models are essentially rows and columns of data, we can use them to generate a Pivot table to provide a myriad of different, summarized results.
In this chapter, we will learn how to:
- Create a data model
- Enable acceleration for the data model
- Make a Pivot table
- Visualize data using area charts, pie charts, and single value with trend sparklines
Creating a data model
Before you can create a Pivot table, you need to develop a set of rows and columns through the creation of a data model. To do this, perform the following steps:
- In the Destinations app, click on the Pivot link in the top menu. Observe the Select a Data Model page, which will be empty until you have created your first data model.
- Click on the Manage Data Models button in the upper-right corner of the screen to proceed.
- In the Data Models screen, click on New Data Model.
- Give your new data model a title and ID and ensure that it is created in the Destinations app. Refer to the following screenshot as a guide:
- Click on Create. You are now in the Destinations data model editing page.
- Click on the Add Object dropdown and select Root Event. The concept of data model hierarchy is now in play. The Root Event or Root Search is the base search that will populate the data for the entire data model tree.
- Populate the Root Event with the fields seen in the following screenshot. We want to create a data model for our Eventgen data so we use
index=mainas the primary constraint:
- Click on Preview to ensure that the
index=mainsearch returns the expected results. Click on Save.
After saving the root event, there will be attributes that will be created as default. Because data models respect hierarchies, these initial attributes will be inherited by all child objects. Attributes or fields that are generic to all data regardless of search constraints need to be created in the root object.
Adding attributes to objects
There are different ways to add an attribute to an object. In this book we will utilize extracted attributes based on fields and regular expressions. Go ahead and carry out these steps:
- Click on the Add Attribute dropdown and select Auto-Extracted.
- Scroll down the list of auto-extracted fields and select the fields that we have manually extracted in Chapter 2, Bringing in Data, as listed and shown in the bullet list followed by the screenshot:
http_methodhttp_porthttp_response_timehttp_status_codehttp_urihttp_user_agent
- If you look closely, you'll see Splunk has automatically classified the attributes based on its assumed data type (for instance String for
client_ipand Number forhttp_status_code). You can do the same steps if you missed an attribute.
Your newly-added attributes are now in the Extracted section and will also be inherited by all child objects, as a child object in Splunk inherits the constraints and attributes of a parent object.
Creating child objects
To create a child object, do the following:
- Select the WebLogs event, click on the Add Object dropdown, and select Child.
- Populate the form with the following information. Click on Save to proceed.
- Object Name:
Authenticated - Additional Constraints:
http_uri="/auth"
- Object Name:
- Click on Preview to review.
- Click on Save to proceed.
- Click on the Authenticated child object (under WebLogs in the upper left) and observe that all the attributes of the root object have been inherited.
Create more child objects of the root object, WebLogs:
|
Object name |
Additional constraints |
|
Booking Confirmation |
|
|
Booking Payment |
|
|
Destination Details |
|
|
Destinations Search |
|
You now have five child objects that are differentiated by the pages viewed in your web log as shown in the following screenshot:
Creating an attribute based on a regular expression
Now we are going to create an attribute based on a regular expression, which is a specialized text string that describes a search pattern. What we want to do is extract the airport code that is part of the Destination Details URI:
http_uri="/destination/MIA/details"
To do this, we have to create an attribute in the Destination Details object. Take these steps:
- Select the Destination Details object, click on the Add Attribute dropdown, and select Regular Expression.
- In the Regular Expression field, type in the following text:
/destination/(?<AirportCode>.+?)/details
- Click on the blank area outside the text box to populate the Attributes field as shown in the following screenshot.
- Change the display name to
Airport Code:
- Click on Preview and make sure that the airport codes are highlighted in the events. You can also click the Airport Code tab to see them summarized. Also, click the Non-Matches button and ensure that no events are shown:
- Click on Save to proceed.
Now that you have built your first data model, it is time to prepare it for use in Pivot. Here are the steps to perform:
- Change the permission of the data model so all other Splunk users can use it in the context of the Destinations app. On the Edit dropdown, select Edit Permissions:
- Change the permission of the data model so that it is available for the Destinations app. Click on App on the Display For button set.
- Set the Read permission to Everyone and the admin group to Write:
- Click on Save to continue. In the next section, we will introduce you to data model acceleration and how to enable it.
Data model acceleration
When you enable acceleration for a data model, Splunk internally summarizes the data defined by the data model in a given time range. This gives a tremendous boost to the search speed for your data model. There are a couple of things to remember when you enable data model acceleration:
- Once you enable acceleration for a data model, you will no longer be able to edit the data model objects. Ensure that you have properly configured your child objects and attributes before you decide to accelerate. A huge data model may take some time to complete the acceleration process, so plan accordingly. You will only be able to edit the data model again if you disable the acceleration.
- Select your summary range wisely. The summary range is the calculation time span that the acceleration will use against your data. The summary range can span 1 day, 7 days, 1 month, 3 months, 1 year, and so on. Search acceleration is based on time ranges. Only those that fall within the selected time range will be accelerated. If you need to accelerate for 5 days, then it is safe to select 7 days. However, if you run the report for 10 days, the searches beyond the selected acceleration range will execute at a normal speed.
- Acceleration will take up disk space. A large data model with a lengthy summary range will occupy much more disk space than your current index.
In this exercise, you will enable data model acceleration with a summary range of 7 days.
You will want to follow these steps very carefully:
- Once again in the Edit dropdown, select Edit Acceleration:
- In the Edit Acceleration prompt, check the Accelerate box and select 7 Days as your Summary Range. These options are seen in the following screenshot:
- Click on Save to kick off the acceleration process. Notice that Splunk will issue a warning that the data model is locked and can no longer be edited unless you disable acceleration:
- Let us check the status of the acceleration process. Go back to the Data Models main page and expand the Destinations data model by clicking the side > next to Destinations. You should see information that is similar to the following screenshot:
- Under the Acceleration section, you will see a sizable amount of information about the state of your data model acceleration, such as the status, access count, size on disk, summary range, buckets, and the last time it got updated. It will take a couple of minutes until the acceleration is complete. Keep refreshing the page until the Status says 100.00% Completed, as shown in the following screenshot:
Now that the data model has been fully constructed and accelerated, it is time to use it with the Pivot Editor.
The Pivot Editor
Now we will begin to make a Pivot table; follow these directions:
- Go back to the Destinations app and click on Pivot in the main menu.
- This time, simply click on the WebLogs object. You will see a page as shown in the following screenshot with a count of all WebLogs data for All Time:
We have highlighted different sections in this page. The navigation bar icons to the left of the screen represent the different visualization modes. The default and topmost visualization is the statistics table. You will always first construct your statistics table before you go to any of the other visualizations.
The time range functions the same throughout Splunk. Always change it to something within the scope of your acceleration summary range (7 days in this case). Filters will allow you to narrow down your dataset based on object attributes.
Split Rows and Split Columns will allow you to change the orientation of your data based on Time and Attribute. The following screenshot shows you what attributes will appear on the Split Columns dropdown:
Column Values on the other hand will allow you to select an Event or Attribute based on Time, as shown in the following screenshot:
This will all look confusing at first so it is best to walk through it by means of examples.
In the upper-right corner of the page, you will see the scope of the Pivot. This is usually the object that you clicked when you first entered the Pivot Editor. Through this dropdown, you can switch to other data models and other objects, as shown in the following screenshot. It is also a shortcut for checking the status of acceleration:
The Pivot Editor will always default to the Count of the object that was selected in the data model. That is why, in the results section, you see Count of WebLogs:
Creating a chart from a Pivot
Let us create a chart that will represent web traffic. WebLogs that have been generated by Eventgen are simulated data from a web application with varied status codes. Every line in the web log is a request from a web client (such as the browser or mobile device). In effect, the sum of all the requests and status codes equals the entire traffic of the web application.
To create a chart, do the following:
- First, change the time range to Last 7 days.
- Change Split Rows to _time and leave Periods as the default, as shown next. This is equivalent to using the
timechartfunction in SPL without specifying a span. Opt out of Totals if you do not want the bottom row of your dataset to include the summation of the entire column. In this case, we do not need Totals, so No is selected:
- Click Add To Table. The results will change to show seven rows, with the sum of the WebLogs tallied in each row. In Split Columns, add the
http_status_codeattribute to split the columns based onhttp_status_code. There will be many options available to you to tweak your data set for the Split Columns function, but for now leave them as they are. The final selection of filters is shown in the following screenshot:
Your statistics table should have changed. The count per day has now been split based on the http_status_code attribute, as shown next. Since your data model is accelerated and you have selected the time filter that fits the summary range, the results should render almost instantaneously:
Creating an area chart
Now that the statistics table has been populated with data, it is time to choose a visualization method:
- Select the Area visualization tool in the left menu bar, as shown in the following screenshot:
The next page will show you an array of options that you can choose from to change the way your area chart behaves. Depending on how long you have been running Splunk on your machine, you should see a stacked area chart similar to the following screenshot:
- Let us change the look and feel of the area chart a little bit. In the X-Axis (Time) section, choose to hide the Label. This will remove the
_timelabel on the x axis:
- In the Color (Areas) section, let's move the Legend Position to the bottom, as shown in the following screenshot:
- Your area chart is now ready to be saved as a Dashboard panel. Click on the Save As button and select Dashboard Panel.
- Let us create a new dashboard called Summary Dashboard. Make sure you change the permission to Shared in App.
- Finally, change the Panel Title to Web Traffic per Day Last 7 Days.
- Click on Save to finish and click on View Dashboard. Use the following screenshot as a guide:
You now have a dashboard that is driven by the data model that you just created. It should look similar to what is shown here:
Creating a pie chart showing destination details by airport code
We will now create a pie chart that will show us the Destination Details by Airport Code. If you recall, at the beginning of this chapter we created a data model object and used a regular expression to extract the Airport Code as a field.
These instructions will help you to create a pie chart:
- Go back to the Pivot Editor and this time, select Destination Details.
- Change your time range to Last 24 hours.
- In Split Rows, select Airport Code. Your Pivot Editor should now show something similar to the following screenshot:
- This data is sufficient to generate a pie chart. Go ahead and click the Pie Chart icon on the navigation bar to the left:
Without changing any other options, the pie chart appears. Splunk has rendered a chart subdividing the different airport codes in the last 24 hours:
- Add this to the Summary Dashboard by once again selecting Save As a Dashboard panel.
- Click on the Existing button and select Summary Dashboard.
- Give it this title: Destinations Last 24 Hrs.
- Click on Save and go to your dashboard to see the end result:
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
The Pivot Editor
Now we will begin to make a Pivot table; follow these directions:
- Go back to the Destinations app and click on Pivot in the main menu.
- This time, simply click on the WebLogs object. You will see a page as shown in the following screenshot with a count of all WebLogs data for All Time:
We have highlighted different sections in this page. The navigation bar icons to the left of the screen represent the different visualization modes. The default and topmost visualization is the statistics table. You will always first construct your statistics table before you go to any of the other visualizations.
The time range functions the same throughout Splunk. Always change it to something within the scope of your acceleration summary range (7 days in this case). Filters will allow you to narrow down your dataset based on object attributes.
Split Rows and Split Columns will allow you to change the orientation of your data based on Time and Attribute. The following screenshot shows you what attributes will appear on the Split Columns dropdown:
Column Values on the other hand will allow you to select an Event or Attribute based on Time, as shown in the following screenshot:
This will all look confusing at first so it is best to walk through it by means of examples.
In the upper-right corner of the page, you will see the scope of the Pivot. This is usually the object that you clicked when you first entered the Pivot Editor. Through this dropdown, you can switch to other data models and other objects, as shown in the following screenshot. It is also a shortcut for checking the status of acceleration:
The Pivot Editor will always default to the Count of the object that was selected in the data model. That is why, in the results section, you see Count of WebLogs:
Creating a chart from a Pivot
Let us create a chart that will represent web traffic. WebLogs that have been generated by Eventgen are simulated data from a web application with varied status codes. Every line in the web log is a request from a web client (such as the browser or mobile device). In effect, the sum of all the requests and status codes equals the entire traffic of the web application.
To create a chart, do the following:
- First, change the time range to Last 7 days.
- Change Split Rows to _time and leave Periods as the default, as shown next. This is equivalent to using the
timechartfunction in SPL without specifying a span. Opt out of Totals if you do not want the bottom row of your dataset to include the summation of the entire column. In this case, we do not need Totals, so No is selected: - Click Add To Table. The results will change to show seven rows, with the sum of the WebLogs tallied in each row. In Split Columns, add the
http_status_codeattribute to split the columns based onhttp_status_code. There will be many options available to you to tweak your data set for the Split Columns function, but for now leave them as they are. The final selection of filters is shown in the following screenshot:
Your statistics table should have changed. The count per day has now been split based on the http_status_code attribute, as shown next. Since your data model is accelerated and you have selected the time filter that fits the summary range, the results should render almost instantaneously:
Creating an area chart
Now that the statistics table has been populated with data, it is time to choose a visualization method:
- Select the Area visualization tool in the left menu bar, as shown in the following screenshot:
The next page will show you an array of options that you can choose from to change the way your area chart behaves. Depending on how long you have been running Splunk on your machine, you should see a stacked area chart similar to the following screenshot:
- Let us change the look and feel of the area chart a little bit. In the X-Axis (Time) section, choose to hide the Label. This will remove the
_timelabel on the x axis: - In the Color (Areas) section, let's move the Legend Position to the bottom, as shown in the following screenshot:
- Your area chart is now ready to be saved as a Dashboard panel. Click on the Save As button and select Dashboard Panel.
- Let us create a new dashboard called Summary Dashboard. Make sure you change the permission to Shared in App.
- Finally, change the Panel Title to Web Traffic per Day Last 7 Days.
- Click on Save to finish and click on View Dashboard. Use the following screenshot as a guide:
You now have a dashboard that is driven by the data model that you just created. It should look similar to what is shown here:
Creating a pie chart showing destination details by airport code
We will now create a pie chart that will show us the Destination Details by Airport Code. If you recall, at the beginning of this chapter we created a data model object and used a regular expression to extract the Airport Code as a field.
These instructions will help you to create a pie chart:
- Go back to the Pivot Editor and this time, select Destination Details.
- Change your time range to Last 24 hours.
- In Split Rows, select Airport Code. Your Pivot Editor should now show something similar to the following screenshot:
- This data is sufficient to generate a pie chart. Go ahead and click the Pie Chart icon on the navigation bar to the left:
Without changing any other options, the pie chart appears. Splunk has rendered a chart subdividing the different airport codes in the last 24 hours:
- Add this to the Summary Dashboard by once again selecting Save As a Dashboard panel.
- Click on the Existing button and select Summary Dashboard.
- Give it this title: Destinations Last 24 Hrs.
- Click on Save and go to your dashboard to see the end result:
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
Creating a chart from a Pivot
Let us create a chart that will represent web traffic. WebLogs that have been generated by Eventgen are simulated data from a web application with varied status codes. Every line in the web log is a request from a web client (such as the browser or mobile device). In effect, the sum of all the requests and status codes equals the entire traffic of the web application.
To create a chart, do the following:
- First, change the time range to Last 7 days.
- Change Split Rows to _time and leave Periods as the default, as shown next. This is equivalent to using the
timechartfunction in SPL without specifying a span. Opt out of Totals if you do not want the bottom row of your dataset to include the summation of the entire column. In this case, we do not need Totals, so No is selected: - Click Add To Table. The results will change to show seven rows, with the sum of the WebLogs tallied in each row. In Split Columns, add the
http_status_codeattribute to split the columns based onhttp_status_code. There will be many options available to you to tweak your data set for the Split Columns function, but for now leave them as they are. The final selection of filters is shown in the following screenshot:
Your statistics table should have changed. The count per day has now been split based on the http_status_code attribute, as shown next. Since your data model is accelerated and you have selected the time filter that fits the summary range, the results should render almost instantaneously:
Creating an area chart
Now that the statistics table has been populated with data, it is time to choose a visualization method:
- Select the Area visualization tool in the left menu bar, as shown in the following screenshot:
The next page will show you an array of options that you can choose from to change the way your area chart behaves. Depending on how long you have been running Splunk on your machine, you should see a stacked area chart similar to the following screenshot:
- Let us change the look and feel of the area chart a little bit. In the X-Axis (Time) section, choose to hide the Label. This will remove the
_timelabel on the x axis: - In the Color (Areas) section, let's move the Legend Position to the bottom, as shown in the following screenshot:
- Your area chart is now ready to be saved as a Dashboard panel. Click on the Save As button and select Dashboard Panel.
- Let us create a new dashboard called Summary Dashboard. Make sure you change the permission to Shared in App.
- Finally, change the Panel Title to Web Traffic per Day Last 7 Days.
- Click on Save to finish and click on View Dashboard. Use the following screenshot as a guide:
You now have a dashboard that is driven by the data model that you just created. It should look similar to what is shown here:
Creating a pie chart showing destination details by airport code
We will now create a pie chart that will show us the Destination Details by Airport Code. If you recall, at the beginning of this chapter we created a data model object and used a regular expression to extract the Airport Code as a field.
These instructions will help you to create a pie chart:
- Go back to the Pivot Editor and this time, select Destination Details.
- Change your time range to Last 24 hours.
- In Split Rows, select Airport Code. Your Pivot Editor should now show something similar to the following screenshot:
- This data is sufficient to generate a pie chart. Go ahead and click the Pie Chart icon on the navigation bar to the left:
Without changing any other options, the pie chart appears. Splunk has rendered a chart subdividing the different airport codes in the last 24 hours:
- Add this to the Summary Dashboard by once again selecting Save As a Dashboard panel.
- Click on the Existing button and select Summary Dashboard.
- Give it this title: Destinations Last 24 Hrs.
- Click on Save and go to your dashboard to see the end result:
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
Creating an area chart
Now that the statistics table has been populated with data, it is time to choose a visualization method:
- Select the Area visualization tool in the left menu bar, as shown in the following screenshot:
The next page will show you an array of options that you can choose from to change the way your area chart behaves. Depending on how long you have been running Splunk on your machine, you should see a stacked area chart similar to the following screenshot:
- Let us change the look and feel of the area chart a little bit. In the X-Axis (Time) section, choose to hide the Label. This will remove the
_timelabel on the x axis: - In the Color (Areas) section, let's move the Legend Position to the bottom, as shown in the following screenshot:
- Your area chart is now ready to be saved as a Dashboard panel. Click on the Save As button and select Dashboard Panel.
- Let us create a new dashboard called Summary Dashboard. Make sure you change the permission to Shared in App.
- Finally, change the Panel Title to Web Traffic per Day Last 7 Days.
- Click on Save to finish and click on View Dashboard. Use the following screenshot as a guide:
You now have a dashboard that is driven by the data model that you just created. It should look similar to what is shown here:
Creating a pie chart showing destination details by airport code
We will now create a pie chart that will show us the Destination Details by Airport Code. If you recall, at the beginning of this chapter we created a data model object and used a regular expression to extract the Airport Code as a field.
These instructions will help you to create a pie chart:
- Go back to the Pivot Editor and this time, select Destination Details.
- Change your time range to Last 24 hours.
- In Split Rows, select Airport Code. Your Pivot Editor should now show something similar to the following screenshot:
- This data is sufficient to generate a pie chart. Go ahead and click the Pie Chart icon on the navigation bar to the left:
Without changing any other options, the pie chart appears. Splunk has rendered a chart subdividing the different airport codes in the last 24 hours:
- Add this to the Summary Dashboard by once again selecting Save As a Dashboard panel.
- Click on the Existing button and select Summary Dashboard.
- Give it this title: Destinations Last 24 Hrs.
- Click on Save and go to your dashboard to see the end result:
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
Creating a pie chart showing destination details by airport code
We will now create a pie chart that will show us the Destination Details by Airport Code. If you recall, at the beginning of this chapter we created a data model object and used a regular expression to extract the Airport Code as a field.
These instructions will help you to create a pie chart:
- Go back to the Pivot Editor and this time, select Destination Details.
- Change your time range to Last 24 hours.
- In Split Rows, select Airport Code. Your Pivot Editor should now show something similar to the following screenshot:
- This data is sufficient to generate a pie chart. Go ahead and click the Pie Chart icon on the navigation bar to the left:
Without changing any other options, the pie chart appears. Splunk has rendered a chart subdividing the different airport codes in the last 24 hours:
- Add this to the Summary Dashboard by once again selecting Save As a Dashboard panel.
- Click on the Existing button and select Summary Dashboard.
- Give it this title: Destinations Last 24 Hrs.
- Click on Save and go to your dashboard to see the end result:
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
Single value with trending sparkline
We will now use one of the cooler visualizations that Splunk has by default, the single value with trending sparkline.
- Go back to Pivot and select Booking Confirmation.
- Change your time range to Last 24 hours. That's all you need to do here.
- Go ahead and click on the Single Value visualization option as indicated here:
- The default is a big boring number. Let us spice it up. In the Sparkline section, click on Add Sparkline then select _time. Change the Periods to Hours as shown here:
- Check it out; Splunk just gave you an awesome visualization with very little effort. It will now show you the number of Booking Confirmations since the start of the hour and will provide a number comparison from the hour before. It will also give you an upward or a downward arrow that depicts trends and will add a sparkline at the bottom of the number:
- We're not done yet! Let us put even more life into it. In the Color section, click on Yes in Use Colors. In the Color by option, select Trend. Select the second option for Color Mode. Here is how the Color section looks now:
With those options selected, your visualization will have now changed to something similar to what you see next.
- Finally, save this panel to the Summary Dashboard and label it as Booking Confirmations.
Rearranging your dashboard
Before going on, you can rearrange your dashboard so that it looks the way you want:
- In the Summary Dashboard, click on the Edit button and select Edit Panels. This will convert the panels into widgets that you can drag around.
- Change the final layout of your Summary Dashboard to look like the following screenshot. Click on Done once you have laid the widgets out in the correct orientation:
Summary
By now, you have familiarized yourself with data models and the Pivot Editor. In this chapter, we explained what data models are and how they are created. We walked you through how to create your data model objects based on a hierarchy. You also have learned that data models consist of attributes that can be inherited from the parent objects. You created an attribute by extracting a field using regular expression. We have also shown you how to use the Pivot Editor and create three different visualizations: area chart, pie chart, and single value with trend sparkline.
In the next chapter, Chapter 5, Data Optimization, Reports, Alerts, and Accelerating Searches, you will learn how to create and use these important Splunk tools as well as how to optimize searches.