Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Use the Table Editor

After you define the initial data for your dataset, you come to the Table Editor to define and maintain it. Use the Table Editor to:

  • Apply actions to the table that filter events, add fields, edit field names and field values, perform statistical data aggregations, and more.
  • Use a "command history" feature to review, edit, and even delete actions that were previously applied to the table.
  • Go to the Summarize Fields view of the table to get analytical information about its fields. You can can see top value distributions, null value percentages, numeric value statistics, and more.
  • Open your table in Pivot, where you can get to work creating visualization-rich reports and dashboard panels based on the table's contents.

Apply actions to your table

You can apply actions to your table or elements of your table by making selections from the menus just above it.

Action menus

The actions and commands that you can apply to your table are categorized into the following menus.

Menu Description
Edit Contains basic editorial actions. Change field types, rename fields, move and delete fields.
Sort Sort rows by the values of a selected field.
Filter Provides actions that give you various ways to filter rows out of your dataset.
Clean Features actions that fix or change field values in various ways.
Summarize Perform statistical aggregations on your dataset.
Add new Gives you a variety of methods to add fields to your dataset.

Table element selection options

Availability of menu actions is tied to the table elements that you select. For example, some actions are only available when you select a field (a column).

Element Applies action to How to select
Table Entire dataset Click the asterisk header at the top of the leftmost column.
Column A field Click the header of a column (the field name).
Multi-Column Two or more fields
  • To select multiple nonadjacent columns, hold the CTRL or CMD key and click the header row of each column you wish to select. You can also deselect columns by clicking on them while holding CTRL or CMD.
  • To select a range of adjacent columns, click the header row of the first column, hold SHIFT, and click in another column.
Cell A field value Click a cell.
Text A portion of text within a field value. Click and drag to select text. You can only select text for text and iPv4 field types.

Field types

Fields can have five types: String, Number, Boolean, IPv4, and Epoch Time. Certain actions and commands can only be applied to fields that belong to specific types.

To change the type of a field follow these steps.

  1. Select the field.
  2. Click Edit and choose the Type that you want the field to have.

You cannot change the type of the _time or _raw fields.

Use the command history sidebar

The command history sidebar keeps track of the commands you apply as you apply them. You can click on a command record to reopen its command editor and change the values entered there.

When you click on a command that is not the most recent command applied, the Table Editor shows you how the table looked at that point in the command history.

You can edit the details of any command record in the command history. You can also delete any command in the history by clicking the X on its record. When you edit or delete a command record, you potentially can break commands that follow it. If this happens, the command history sidebar will notify you.

When you edit or delete a command that is not the most recent command applied, you can break commands that follow it. If this happens the command history sidebar will notify you.

Click SPL to see the search processing language behind your commands. When you have SPL selected you can click Open in Search to run a search using this SPL in the Search & Reporting view.

Use the Summarize Fields view

Click Summarize Fields above your table to see analytical details about the fields in the table. You can see top value distributions, null value percentages, numeric value statistics, and more.

While you are in the Summarize Fields view you can also view field analytics for a specific range of time. The time range picker is near the top right side of the display.

You can apply actions and commands from the menus while you are in this view. For example, if you see that a field has a high percentage of null values, you can select the field and then select Filter > Is Not Null to make them go away.

Open in Pivot

At any time you can open your table dataset in Pivot to begin creating a visualization-rich report or dashboard panel based on it. If you need help using Pivot to make charts and visualizations, see Introduction to Pivot.

When you open a table in Pivot, the Table Editor requires that you save the table first.

Last modified on 03 March, 2017
Define initial data for a new table dataset
Dataset extension

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters