Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to define a common data store to create searches and dashboards on top of for various apps?

ronak
Path Finder
‎06-18-2015 03:40 PM

Hi

I've a business need to integrate Point of Sale systems from various vendors and produce a common dashboard that shows KPIS and panels for example - Total Sales, Total Tax, Total Fees, #orders at 5 minutes interval, Avg Rev/order, Pie chart of various payment types, Bar chart representing sales by product category, column chart representing sales by product type, top 10 items etc..

the challenge is that not all vendors send the data in same format or call the fields same e.g. Vendor1 might call item_name, vendor2 might call product_name , vendor 1 might call sale_amount - vendor3 might call amount_sold

I'm wondering if there is a mechanism, way such that I can define a common model, create queries and dashboard on top of that common model. Various sources feed into that common model in Splunk.

This allows me to make sure that my splunk app is same that I can ship to various clients along with the connector to the POS that the client might have

Any pointers, method to achieve this functionality ?

thanks, ronak

0 Karma
Reply

maciep
Champion
‎06-18-2015 04:49 PM

The short answer is to use search-time operations to map those vendor-specific fields into some common model you define. So first come up with the field names you want to use in your Splunk app. Then for each sourcetype (vendor) decide which fields need mapped where. To do those mappings, you can use aliases, evals, field extractions, lookups, etc. All of those will happen at search time.

So for example if you choose to use item_name, then vendor1's field won't need to change. But for the sourcetype of vendor2, you alias product_name as item_name. Now when you search vendor2's sourcetype, both item_name and product_name fields will be there. Your app's searches will just use item_name.

If you need to normalize something like categories, typically a lookup would work - maybe sale type or payment method or something (not real familiar with pos systems). If you need to maybe concatenate a couple fields of one sourcetype to match a field in your common model, use an eval. Etc.

Hope that helps a little

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎06-18-2015 04:39 PM

Have you looked at the Splunk Common Information Model Add-on (and docs)? It doesn't have a PoS data model, but you might be able to build what you need following the examples there. The situation you describe is exactly what the Common Information Model is designed to address.

If your question is more about the actual storage of saving and retrieving data so your app(s) can use it, then you should read about the app key value store.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...