In other words, a device may have multiple applications and each app may have multiple permissions. If I wanted to write a report that list all applications that contain Permission=X, how do you recommend we model the data?
Any guidance you can provide will be greatly appreciated!
The Splunk query for applications containing permission X would be Permission=X | stats count by Application (which would give you the count for each application as well, which you could discard.)
You could compact it up one level, though for some reporting purposes you may wind up expanding that one level out to the equivalent of the above at search time (in the specific case of this report, though Permission=X | stats count by Application will still work the same):
Note, btw, that while the raw forms suggested here look much larger than a tree, the indexed and compressed data set (which is how it would be stored on disk by Splunk) for large sets of data is not larger than if it were represented as a tree or a more normalized form.