The Splunk Enterprise Pivot tool lets you quickly design reports with tables and data visualizations that present different aspects of a selected Data Model. Pivot lets you generate these reports with a UI interface instead of having to use the search processing language.
Pivot is part of the Search & Reporting app.
1. On the Search & Reporting app's navigation bar, click Pivot.
Entering Pivot takes you to the Select a Data Model page, where you should see a list of the data models if any have been created. For example, this list includes the Buttercup Games data model that you created earlier in this tutorial. It also includes two sample data models that track Splunk Enterprise
If you view Pivot in smaller browser windows, the Search & Reporting app's navigation bar is hidden. To use the navigation bar, click the menu icon on the upper right. The navigation bar slides down.
2. Use the arrows under the i column to view information for Buttercup Games.
Clicking Edit objects takes you to the object editor for the Buttercup Games data model.
3. Click Buttercup Games.
This takes you to the Select a Data Object view. This view lists all the objects that have been created for this data model. The Buttercup Games data model consists of the Purchase Requests parent object and the Successful Purchases and Failed Purchases child objects.
4. Use the arrows under the i column to view the information for the objects.
5. Click Purchase Requests.
Selecting an object from the Select a Data Object view takes you to the New Pivot editor for that data model.
Components of Pivot
The following illustrates the Pivot editor components.
Visualization types: The left-hand vertical bar contains icons that represent different visualization types. Selecting a different icon controls which Pivot builder and report interfaces display. Visualization types are: Statistics Table (default), Column Chart, Bar Chart, Scatter Chart, Bubble Chart, Area Chart, Line Chart, Pie Chart, Single Value Display, Radial Gauge, Marker Gauge, and Filler Gauge.
Document Actions: The upper horizontal bar displays document-related actions. These actions include:
- Save as...: Save the current report as a new one (Report) or as a dashboard panel (Dashboard Panel).
- Clear: Reset the interface to its initial state, which will dismiss the saved report (if applicable), change the visualization type to Statistics Table, and populate the report with a single Column Value for the count of the object and a time filter for all time (if _time is an applicable field).
- Data model object: This is the right-most button. It takes its label from the data model object that was selected. For example, in the screenshot it is "Purchase Requests". Use this menu to navigate back to the list of data models (Select another Data Model), navigate back to the list of data model objects (Select another Object), or edit the selected data model object (Edit Object). Additionally, you can rebuild acceleration and inspect the acceleration job.
Job Actions: The Pause and Stop buttons control the progress of the Pivot job. Other actions include: Share, Export, Print, and Open in Search. Clicking Open in Search opens the Search view and runs the current search string.
The topic briefly described what you need to know to access the pivot interface and build Pivots in the rest of this chapter. Read the Pivot Manual for more information.
Continue to the next topic, where you will use Pivot to build a report from the Buttercup Games data models you created in a previous chapter.
Define child objects
Create and save a Pivot
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11