Now, we are going to create an attribute based on a regular expression, which is a specialized text string that describes a search pattern. What we want to do is extract the airport code that is part of the Destination Details URI:
http_uri="/destination/MIA/details"
To do this, we have to create an attribute in the Destination Details child. Follow these steps:
- Select Destination Details, click on the Add Field dropdown, and select Regular Expression.
- In the Regular Expression field, type in the following text:
/destination/(?<AirportCode>.+?)/details
- Click on the blank area outside the text box to populate the field, as shown in the following screenshot.
- Change the display name to Airport Code:
Regular Expression
- Click on Preview and make sure that the airport codes are highlighted in the events. You can also click the Airport Code tab to see them summarized:
Airport Code tab
- Click the Non-Matches button and ensure that no events are shown.
- Click on Save to proceed.
Now that you have built your first data model, it is time to prepare it for use in Pivot. Here are the steps to perform:
- Change the permission of the data model so that all other Splunk users can use it in the context of the Destinations app. On the Edit dropdown, select Edit Permissions:
- Change the permission of the data model so that it is available for the Destinations app. Click on App on the Display For button set.
- Set the Read permission to Everyone and the admin group to Write:
- Click on Save to continue. In the next section, we will introduce you to data model acceleration and how to enable it.