What is a data model?

The Splunk product documentation (2015-2017) defines a data model as:

"a hierarchically structured, search-time mapping of semantic knowledge about one or more datasets (that encode the domain knowledge necessary to generate specialized searches of those datasets) so that Splunk can use these specialized searches to generate reports and charts for pivot users."

Data models enable you to create Splunk reports and dashboards without having to develop Splunk searches (required to create those reports and dashboards), and can play a big part in Splunk app development. You can create your own data models, but before you do, you should review the data models that your organization may have already developed. Typically, data models are designed by those that understand the specifics around the format, the semantics of certain data, and the manner in which users may expect to work with that data. In building a typical data model, knowledge managers use knowledge object types (such as lookups, transactions, search-time field extractions, and calculated fields).

Another way to perhaps understand data models, if you are familiar with relational databases, is to think of a Splunk data model as a sort of database schema. Using the Splunk Pivot Editor, data models let you generate statistical tables, charts, and visualizations based on column and row configurations that you select.