Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About Pivot

The Splunk Enterprise Pivot tool lets you quickly design reports with tables and data visualizations that present different aspects of a selected Data Model. Pivot lets you generate these reports with a UI interface instead of having to use the search processing language.

Pivot views

Pivot is part of the Search & Reporting app.

6.2tutorial findpivot.png


1. On the Search & Reporting app's navigation bar, click Pivot.

6.2tutorial pivot selectdatamodel.png


Entering Pivot takes you to the Select a Data Model page, where you should see a list of the data models if any have been created. For example, this list includes the Buttercup Games data model that you created earlier in this tutorial. It also includes two sample data models that track Splunk Enterprise internal and audit logs.

If you view Pivot in smaller browser windows, the Search & Reporting app's navigation bar is hidden. To use the navigation bar, click the menu icon on the upper right. The navigation bar slides down.

6.2tutorial pivot selectdatamodel2.png


2. Use the arrows under the i column to view information for Buttercup Games.

6.2tutorial pivot datamodelinfo.png


Clicking Edit objects takes you to the object editor for the Buttercup Games data model.


3. Click Buttercup Games.

This takes you to the Select a Data Object view. This view lists all the objects that have been created for this data model. The Buttercup Games data model consists of the Purchase Requests parent object and the Successful Purchases and Failed Purchases child objects.

6.2tutorial pivot selectobject.png


4. Use the arrows under the i column to view the information for the objects.

6.2tutorial pivot dataobjectinfo.png

5. Click Purchase Requests.

Selecting an object from the Select a Data Object view takes you to the New Pivot editor for that data model.

Components of Pivot

The following illustrates the Pivot editor components.

6.2tutorial pivot new.png


Visualization types: The left-hand vertical bar contains icons that represent different visualization types. Selecting a different icon controls which Pivot builder and report interfaces display. Visualization types are: Statistics Table (default), Column Chart, Bar Chart, Scatter Chart, Bubble Chart, Area Chart, Line Chart, Pie Chart, Single Value Display, Radial Gauge, Marker Gauge, and Filler Gauge.

Document Actions: The upper horizontal bar displays document-related actions. These actions include:

  • Save as...: Save the current report as a new one (Report) or as a dashboard panel (Dashboard Panel).
  • Clear: Reset the interface to its initial state, which will dismiss the saved report (if applicable), change the visualization type to Statistics Table, and populate the report with a single Column Value for the count of the object and a time filter for all time (if _time is an applicable field).
  • Data model object: This is the right-most button. It takes its label from the data model object that was selected. For example, in the screenshot it is "Purchase Requests". Use this menu to navigate back to the list of data models (Select another Data Model), navigate back to the list of data model objects (Select another Object), or edit the selected data model object (Edit Object). Additionally, you can rebuild acceleration and inspect the acceleration job.

6.2tutorial pivot dataobjectselector.png


Job Actions: The Pause and Stop buttons control the progress of the Pivot job. Other actions include: Share, Export, Print, and Open in Search. Clicking Open in Search opens the Search view and runs the current search string.

Learn more

The topic briefly described what you need to know to access the pivot interface and build Pivots in the rest of this chapter. Read the Pivot Manual for more information.

Next steps

Continue to the next topic, where you will use Pivot to build a report from the Buttercup Games data models you created in a previous chapter.

PREVIOUS
Define child objects
  NEXT
Create and save a Pivot

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Comments

Running Splunk 6.2.3 with a search head cluster, I do not see the "Rebuild Acceleration" or "Inspect Acceleration Job" options in the "Documentation Actions" > "Data model object" dropdown as mentioned in the above doc. Not sure if the product has changed, or it is something specific to our environment or search head clustering, but the doc should reflect that this may not appear for all users. Now I need to find another way to inspect it!

Glennsinclair
November 13, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters