- Implementing Splunk 7(Third Edition)
- James D. Miller
- 215字
- 2021-08-27 19:42:42
Children
We have just added a root (or parent) object to our data model. The next step is to add some children. Although a child object inherits all the constraints and attributes from its parent, when you create a child, you will give it additional constraints with the intention of further filtering the dataset that the object represents.
To add a child object to our data model, click on Add Field and select Child:
Splunk then opens the editor window, Add Child Dataset (shown in the following screenshot):
On this page, follow these steps:
- Enter the Object Name: Dimensional Errors.
- Leave the Object ID as it is: Dimensional_Errors.
- Under Inherit From, select Processing Errors. This means that this child object will inherit all the attributes from the parent object, Processing Errors.
- Add the Additional Constraints, dimension, which means that the data models search for the events in this object; when expanded, it will look something like sourcetype=tm1* error dimension.
- Finally, click on Save to save your changes:
Following the previously outlined steps, you can add more objects, each continuing to filter the results until you have the results that you need.
At this point, the next step in implementing a Splunk data model is to use it. So let's continue and determine how.