Splunk Cloud Platform

Pivot Manual

Introduction to Pivot

The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations.

How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model datasets to further subdivide the original dataset and define the fields that you want Pivot to return results on. Data models and their datasets are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data.

For example, you can have a data model that tracks email server information, with datasets representing emails sent and emails received. If you want to focus on patterns in your sent email, select the "Email Activity" data model and choose the "Emails Sent" dataset.

For an in-depth conceptual overview of data models and data model datasets, see About data models.

Creating a pivot:

There are two ways to navigate to the Pivots view:

  • Through the Datasets page
  • Through the Data Model listing page, via Settings

Steps

From What to do
Datasets page
  1. In the Search & Reporting app, open the Datasets listing page.
  2. Identify the data model dataset for which you want to create a Pivot for.
  3. In the Actions column, select Explore > Visualize with Pivot.
  4. Click Save As... to save your changes as a report or a dashboard panel.
Settings > Data Models
  1. Select Settings > Data models
  2. Locate a data model and in the Actions column, click Pivot.
  3. Click a dataset and create the Pivot.
  4. Click Save As... to save your changes as a report or a dashboard panel.

If you view Pivot in smaller browser windows, the Search & Reporting app's navigation bar is hidden. To use the navigation bar, click the menu icon on the upper right. The navigation bar slides down.

After you select a dataset, Splunk Web takes you to the Pivot Editor where you can create a pivot using the fields that are available to you. Your pivot can take the form of a table or chart. Go to the "Design pivots with the Pivot Editor" topic in this manual to learn how to use the Pivot Editor to create a table, chart, or other visualization with Pivot.

About datasets, briefly

The precise composition of a dataset is determined by the type of dataset you choose and the way the dataset has been defined by your data model administrator. There are four dataset types:

  • Event datasets represent a set of events. Root event datasets are defined by constraints (see below).
  • Transaction datasets represent transactions--groups of events that are related in some way, such as events related to a firewall intrusion incident, or the online reservation of a hotel room by a single customer.
  • Search datasets represent the results of an arbitrary search. Search datasets are typically defined by searches that use transforming or streaming commands to return results in table format, and they contain the results of those searches.
  • Child datasets can be added to any dataset. They represent a subset of the dataset encompassed by their parent dataset. You may want to base a pivot on a child dataset because it represents a specific chunk of data--exactly the chunk you need to work with for a particular report.

Dataset constraints and fields

What are constraints and fields?

Constraints are simple searches that define the dataset that a dataset represents. They are used by root event datasets and all child datasets to define the dataset that they represent. All child datasets inherit constraints from their parent datasets, and have a new constraint of their own. This additional constraint ensures that they each inherit a subset of their parent dataset's dataset.

For example, you could have a root event dataset titled "Error events" where the constraint is simply: "error". This dataset would potentially include all of the events in your system that include the string "error"; it would return the same events as a search for "error".

Most event datasets have constraints that are more complex than that, but often not by much. For example, the sample data model "Splunk's Internal Server Logs" includes a child event dataset named "Search Load - Users." It contains events that track the number of concurrent searches being run by users. The inherited constraints for this dataset boil down to the following search:

index=_internal source=*metrics_log*

This search returns metrics log events from the _internal index. The child dataset then has this additional constraint:

group=search_concurrency user=*

This further narrows down the set of events represented by the dataset to metrics log events from the _internal index that have a group field value of concurrency and a user field with any value.

Event dataset definitions also identify the fields that appear in their event data. Fields are associated with a specific dataset. Some fields will map directly to the dataset's event data; others are calculated fields or are added to the dataset's events with the help of lookups and regular expressions.

Each child dataset inherits the fields that belong to its parent dataset. Child datasets can include additional fields that are not part of the parent dataset definition.

For a more detailed explanation of data models, datasets, dataset constraints, and dataset fields, see "About data models" in the Knowledge Manager Manual.

What's in this manual?

This manual shows you how to use the Pivot Editor to generate useful tables, charts, and other visualizations of your important event data. The pivots that you create can be saved as reports or dashboard panels.

This manual's topics include:

Last modified on 29 March, 2024
  Design pivot tables with the Pivot Editor

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters