Attributes

Data model objects also include attributes, which are simply fields (exposed for use in reporting) associated with the dataset that the object represents. There are five types of object attributes: auto-extracted (fields that Splunk derives at search time), eval expressions (field derived from an eval expression that you enter in the attribute definition), lookups (they add fields from external data sources such as CSV files and scripts), regular expressions (a field that is extracted from the object event data using a regular expression) and GeoIP (of a lookup that adds geographical attributes, such as latitude, longitude, country, and city to events in the object dataset).

Attributes fall into one of three categories: inherited attributes (from the object's parent), extracted attributes (that you add to an object), or calculated (attributes that are the result of a calculation or a lookup).

When you define data model attributes, you can define (for each object in the data model) whether it is visible or hidden. Attributes are visible by default. This is particularly important if each object in your data model has many attributes but only a few are essential for your user's needs. Determining which attributes to include in a Splunk data model and which attributes to expose is a critical part of the overall design of the model. Typically, it's often helpful if each object exposes only the data that is relevant to that object, making it easier to understand and use for your average Splunk user.

In addition to attribute visibility, it is also possible to make any attribute required or optional. Indicating that an attribute is required means that every event represented by the object must have that attribute. When you define an attribute as optional, it means that the object may have events that do not have that attribute at all.