8. Analytics Big Picture
Pivot
Build complex reports without the
search language
Data
Model
Provides more meaningful representation
of underlying raw machine data
Analytics
Store
Acceleration technology delivers up to
1000x faster analytics over Splunk 5
8
9. Operational Intelligence Across the Enterprise
[10/11/12
18:57:04
000000b0
UTC]
Raw
Data
IT professional
Create and share data models
Accelerate data models and custom
searches with the analytics store
Create reports with pivot
Analytics
Store
Developer
Leverage data models to
abstract data
Leverage pivot in custom apps
Data
Model
Pivot
Analyst
Create reports using pivot based on
data models created by IT
12. What is a Data Model?
A data model is a search-time mapping of data onto a hierarchical structure
•
Encapsulate the knowledge
needed to build a search
•
Pivot reports are build on top
of data models
•
Data-independent
Screenshot here
13. search and filter | munge | report | clean-up
sourcetype=access_combined source = "/home/ssorkin/banner_access.log.2013.6.gz"
| eval unique=(uid + useragent) | stats dc(unique) by os_name
| rename dc(unique) as "Unique Visitors" os_name as "Operating System"
14. A Data Model Is a Collection of Objects
Screenshot here
What is Data Model, and why do I care?Building a Data ModelManagement, Acceleration, and BeyondThe Future!Q&A
Splunk 6 takes large-scalemachine data analytics to the next level by introducing three breakthrough innovations:Pivot – opens up the power of Splunk search to non-technical users with an easy-to-use drag and drop interface to explore, manipulate and visualize data Data Model – defines meaningful relationships in underlying machine data and making the data more useful to broader base of non-technical usersAnalytics Store – patent pending technology that accelerates data models by delivering extremely high performance data retrieval for analytical operations, up to 1000x faster than Splunk 5Let’s dig into each of these new features in more detail.
How does theAnalytics Store, Data Model and Pivot benefit users across the enterprise?Lets start with the IT Professional – this includes the Splunk Administrator or an advanced Splunk user that is familiar with SPL.Using Splunk 6 they can:Create data modelsShare data models with other users – delivering a consistent view of the dataAccelerate data models using the Analytics StoreCreate reports using Pivot (although being power users, they may prefer using SPL directly!)Next we have the enterprise developer.Using Splunk 6 they can:Leverage data models built by IT, making searches more portable (using common Data Models ensures predictability of results)Leverage the Pivot interface in custom enterprise appsFinally, there are additional users that can now benefit – for example, the business or data analyst. Using Splunk 6 they can:Create reports, dashboards, charts and other visualizations using the Pivot interface and based on data models that provide an abstracted view of the raw data. Splunk 6 is not meant to replace existing BI and Business Analytics tools, but it does provide new visibility, insights and intelligence from operational data that can be used by business analysts to augment these tools. Data from Splunk software can also be leveraged directly using the Splunk API and SDKs and integrated into existing business analytics tools. For example, the recently announced Pentaho Business Analytics for Splunk® Enterprise (http://apps.splunk.com/app/1554), enables business users to utilize Pentaho to rapidly visualize and gain additional insights from Splunk’s machine data platform using existing in-house skills.
What are the important “things” in your data?E.g. WebIntelligence might haveHTTPAccessHTTPSuccessUser SessionHow are they related?There’s more than one “right” way to define your objects
Constraints filter down to a set of a dataAttributes are the fields and knowledge associated with the objectBoth are inherited!
A child object is a type of its parent object: e.g. An HTTP_Success object is a type of HTTP_AccessAdding a child object is essentially a way of adding a filter on the parentsA parent-child relationship makes it easy to do queries like “What percentage of my HTTP_Access events are HTTP_Success events?”
