Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create and save a Pivot

This topic shows you how to use pivot to create and save a simple report. This example uses the data model objects that you created in the previous chapter. If you do not have them, refer to "Create a new data model".

This is a very simple example. More complicated examples are shown in later topics of this tutorial.

Create a new Pivot

When you set out to design a report, you first need to select a data model that represents the broad category of event data that you want to work with. For this tutorial, that data model is the "Buttercup Games".

1. From the app navigation bar, select Pivot to enter the Select a Data Model page.

2. In the data models list, click Buttercup Games.

This takes you to the Select an Object page.

6.2tutorial pivot selectobject.png

The Buttercup Games data model has a root object to track Purchase Requests from the game website. The Purchases object breaks down into Successful and Failed purchases.

3. Select "Purchase Requests".

This opens a New Pivot editor for the Purchase Requests object.

6.2tutorial pivot new2.png

By default, the Pivot Editor interface displays elements to define a pivot table. There are four basic pivot element categories: Filters, Split Rows, Split Columns, and Column Values. When you first open the Pivot Editor for a specific object, only two elements will be defined:

  • A time range Filter element (set to All time).
  • A Column Values element (set to "Count of <object_name>".

This gives you the single value, which is the total count of events returned by the object over all time. In this case, this count is the "Count of Purchase Requests".

4. Select the Single Value Display element from the visualization bar.

4.a Next to Under Label, type Purchase Requests.

6.3 Tutorial pivot singlevalue.png

  • By default, the time range filter element is set to All time.
  • Single value visualizations (single value, the three gauge types) use the first column value element to get their single value. Here, the field is "Count of Purchase Requests".
  • Single value visualizations do not use Split Row or Split Column elements.
  • You can format the number's precision and select whether or not to use a comma.

Save the Pivot as a report

After you define a pivot, you can save it as either a report or a dashboard panel. In this example, you save the single value display as a report. Dashboards and dashboard panels are discussed in a later chapter.

1. Click Save As... and select Report.

6.2tutorial pivot saveasreport.png

The Save as Report dialog box opens.

2. Enter a Title "Total Purchase Requests" and Description (optional).

6.2tutorial pivot saveasreport2.png

3. Select Yes to include the time range picker. (This should be the default.)

4. Click Save.

After the report saves, a window displays that "Your report has been created". You can continue editing the current Pivot, add the pivot to a dashboard, change additional settings for the saved report, or view the report.

5. Click View to view the report.

6.3 Tutorial pivot viewreport.png

View saved reports

A report that is created from Pivot will always be saved under the current app and owner namespace.

1. Click Reports in the app navigation bar to view the list of all saved reports.

6.2tutorial pivot reports.png

2. Use the arrow in the i column to view information about Total Purchase Requests report.

6.2tutorial pivot reportinfo.png

3. Click the report name to view the report.

Next steps

In this topic, you created and saved a report using Pivot. Continue to the next topic to create more pivot visualizations.

About Pivot
Create a pivot table

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters