Splunk® Enterprise

Pivot Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Introduction to Pivot

The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations.

How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model objects to further subdivide the original dataset and define the attributes that you want Pivot to return results on. Data models and their objects are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data.

For example, you can have a data model that tracks email server information, with objects representing emails sent and emails received. If you want to focus on patterns in your sent email, select the "Email Activity" data model and choose the "Emails Sent" object.

For an in-depth conceptual overview of data models and data model objects, see "About data models," in the Knowledge Manager Manual.

To create a pivot, all you need to do to get started is:

1. Navigate to the Pivot part of your app. From the Home page, just click Pivot for the app workspace you want to use, such as Search & Reporting. If you're already in an app context, just click Pivot in the green app bar.

6.0 pivot nav 1.png

2. On the Select a Data Model page, choose a data model to identify the dataset that you want to work with. (If there's only one data model in your system you'll be moved directly to the next step, where you select an object in that data model.)

6.0 pivot nav 2.png

3. On the Select an Object page, select an object within that data model.

6.0 pivot nav 3.png

4. After you select an object, Splunk Web takes you to the Pivot Editor where you can create a pivot using the attributes (fields) that are available to you. Your pivot can take the form of a table or chart. Go to the "Design pivots with the Pivot Editor" topic in this manual to learn how to use the Pivot Editor to create a table, chart, or other visualization with Pivot.

About objects, briefly

The object you choose represents a specific dataset. The precise composition of this dataset is determined by the type of object you choose and the way the object has been defined by your data model administrator. There are four object types:

  • Event objects represent a set of events. Root event objects are defined by constraints (see below).
  • Transaction objects represent transactions--groups of events that are related in some way, such as events related to a firewall intrusion incident, or the online reservation of a hotel room by a single customer.
  • Search objects represent the results of an arbitrary search. Search objects are typically defined by searches that use transforming or streaming commands to return results in table format, and they contain the results of those searches.
  • Child objects can be added to any object. They represent a subset of the dataset encompassed by their parent object. You may want to base a pivot on a child object because it represents a specific chunk of data--exactly the chunk you need to work with for a particular report.

Object constraints and attributes

What are constraints and attributes?

Constraints are simple searches that define the dataset that an object represents. They are used by root event objects and all child objects to define the dataset that they represent. All child objects inherit constraints from their parent objects, and have a new constraint of their own. This additional constraint ensures that they each inherit a subset of their parent object's dataset.

For example, you could have a root event object titled "Error events" where the constraint is simply: "error". This object would potentially include all of the events in your system that include the string "error"; it would return the same events as a search for "error".

Most event objects have constraints that are more complex than that, but often not by much. For example, the sample data model "Splunk's Internal Server Logs" includes a child event object named "Search Load - Users." It contains events that track the number of concurrent searches being run by users. The inherited constraints for this object boil down to the following search:

index=_internal source=*metrics_log*

This search returns metrics log events from the _internal index. The child object then has this additional constraint:

group=search_concurrency user=*

This further narrows down the set of events represented by the object to metrics log events from the _internal index that have a group field value of concurrency and a user field with any value.

Event object definitions also identify the attributes that appear in their event data. Attributes are essentially a set of fields that are associated with the dataset represented by the object, and you'll use them to define the "story" that your pivot report tells. Some attributes will map directly to fields in the object's event data; others are calculated fields or are added to the object's events with the help of lookups and regular expressions.

Each child object inherits the attributes that belong to its parent object. Child objects can include additional attributes that are not part of the parent object definition.

For a more detailed explanation of data models, objects, object constraints, and object attributes, see "About data models" in the 'Knowledge Manager Manual.

What's in this manual?

This manual shows you how to use the Pivot Editor to generate useful tables, charts, and other visualizations of your important event data. The pivots that you create can be saved as reports or dashboard panels.

This manual's topics include:

  NEXT
Design pivot tables with the Pivot Editor

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters