Introduction to Pivot
The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations.
How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model objects to further subdivide the original dataset and define the attributes that you want Pivot to return results on. Data models and their objects are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data.
For example, you can have a data model that tracks email server information, with objects representing emails sent and emails received. If you want to focus on patterns in your sent email, select the "Email Activity" data model and choose the "Emails Sent" object.
For an in-depth conceptual overview of data models and data model objects, see "About data models," in the Knowledge Manager Manual.
To create a pivot, all you need to do to get started is:
1. Navigate to the Pivot part of your app. From the Home page, just click Pivot for the app workspace you want to use, such as Search & Reporting. If you're already in an app context, just click Pivot in the green app bar.
2. On the Select a Data Model page, choose a data model to identify the dataset that you want to work with. (If there's only one data model in your system you'll be moved directly to the next step, where you select an object in that data model.)
3. On the Select an Object page, select an object within that data model.
4. After you select an object, Splunk Web takes you to the Pivot Editor where you can create a pivot using the attributes (fields) that are available to you. Your pivot can take the form of a table or chart. Go to the "Design pivots with the Pivot Editor" topic in this manual to learn how to use the Pivot Editor to create a table, chart, or other visualization with Pivot.
About objects, briefly
The object you choose represents a specific dataset. The precise composition of this dataset is determined by the type of object you choose and the way the object has been defined by your data model administrator. There are four object types:
- Event objects represent a set of events. Root event objects are defined by constraints (see below).
- Transaction objects represent transactions--groups of events that are related in some way, such as events related to a firewall intrusion incident, or the online reservation of a hotel room by a single customer.
- Search objects represent the results of an arbitrary search. Search objects are typically defined by searches that use transforming or streaming commands to return results in table format, and they contain the results of those searches.
- Child objects can be added to any object. They represent a subset of the dataset encompassed by their parent object. You may want to base a pivot on a child object because it represents a specific chunk of data--exactly the chunk you need to work with for a particular report.
Object constraints and attributes
What are constraints and attributes?
Constraints are simple searches that define the dataset that an object represents. They are used by root event objects and all child objects to define the dataset that they represent. All child objects inherit constraints from their parent objects, and have a new constraint of their own. This additional constraint ensures that they each inherit a subset of their parent object's dataset.
For example, you could have a root event object titled "Error events" where the constraint is simply:
"error". This object would potentially include all of the events in your system that include the string "error"; it would return the same events as a search for
Most event objects have constraints that are more complex than that, but often not by much. For example, the sample data model "Splunk's Internal Server Logs" includes a child event object named "Search Load - Users." It contains events that track the number of concurrent searches being run by users. The inherited constraints for this object boil down to the following search:
This search returns metrics log events from the
_internal index. The child object then has this additional constraint:
This further narrows down the set of events represented by the object to metrics log events from the _internal index that have a
group field value of
concurrency and a
user field with any value.
Event object definitions also identify the attributes that appear in their event data. Attributes are essentially a set of fields that are associated with the dataset represented by the object, and you'll use them to define the "story" that your pivot report tells. Some attributes will map directly to fields in the object's event data; others are calculated fields or are added to the object's events with the help of lookups and regular expressions.
Each child object inherits the attributes that belong to its parent object. Child objects can include additional attributes that are not part of the parent object definition.
For a more detailed explanation of data models, objects, object constraints, and object attributes, see "About data models" in the 'Knowledge Manager Manual.
What's in this manual?
This manual shows you how to use the Pivot Editor to generate useful tables, charts, and other visualizations of your important event data. The pivots that you create can be saved as reports or dashboard panels.
This manual's topics include:
- Design pivot tables with the Pivot Editor - Learn how to use the Pivot Editor to generate tables, charts, and other representations of your data.
- Design pivot charts and visualizations with the Pivot Editor
Design pivot tables with the Pivot Editor
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11