Splunk Search

difference between data model vs splunk dashboards

okumar1
Engager

Hi All,

 

could you please clarify me what is the diff between data models and splunk dashboards?

 

Thanks

Labels (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @okumar1,

The two are completely different things, but to quickly break down the difference.

Data Models is a definition of a data structure - They can be used to manipulate _raw data into a common format of fields (See Common Information Models for more info!) at search-time by; Extracting fields from raw data Rename/transform/calculate fields. Data models can be accelerated which builds data summaries behind the scenes for faster data retrieval. This provides improved search performance, Improves data quality and consistency.

Splunk Dashboards Visualise and analyse data in a user-friendly interface using charts/graphs/tables and custom visualisations. Dashboard inputs/tokens allow for interaction and filtering of data displayed to help provide real-time insights and trends for data-driven decision making. Dashboards allow different views on the same dataset for different stakeholders and users.

🌟Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

PickleRick
SplunkTrust
SplunkTrust

Well... no.

That's a common misconception about data models. They do not _do_ anything in general. They are an abstract definition that your data should conform to. They might provide some search-time calculated fields but nothing regarding data models works "before data is being indexed".

And generally datamodels do not "enrich" data as such. It's the other way around - you sometimes need to enrich your data (for example create lookups mapping the actual values you have in your events to the values the data model expects) to make your data compliant with the data model.

Finally, datamodels as such do not accelerate anything. Yes, if you have a data model, you can enable datamodel acceleration which periodically creates and update summaries based on the datamodel definition but it's not the functionality of the data model itself but rather additional mechanics built on top of the data model.

(original post fixed).

 

livehybrid
SplunkTrust
SplunkTrust

Hi @PickleRick 

You are quite right - this will teach me for trying to do too many things at once as was also doing some INGEST_EVAL work at the same time. 🙄

I've removed the completely incorrect start to the paragraph about DMs and will update the sentence around "can be accelerated" to include details about what this achieves.

Thanks again for catching those points!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

It’s exactly this way. Data model just describe some data set and what it could have. Usually it doesn’t require that all those attributes are present. 
Then those other things are something what you can achieve easier by using data model, but definitely those aren’t part of data model requirements/definition. 

Dashboards are knowledge objects which helps one to present data always the same way without to write SPL again and again to get needed results. Quite often dashboards have some interactions how user can change its behavior. Then we those as forms. 

One can use DMs in dashboards inside SPL or use pivots to create reports or dashboards directly from DM.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

These are two terms from separate domains. A datamodel is an abstract standardized model of data whereas dashboard is a way of visualizing data and interacting with your Splunk. So your question is like "what is a difference between a truck and a vacuum cleaner".

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...