Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About Pivot

The Splunk Pivot tool lets you quickly design reports with tables and data visualizations that present different aspects of a selected Data Model. Pivot lets you generate these reports with a UI interface instead of having to use the search processing language.

Accessing Pivot from the Datasets page

In Part 2, you built a data model and created a root dataset called Purchase Requests and added two child datasets, one for successful purchases and one for failed purchases.

  1. From the Buttercup Games dataset editor page, click Pivot.
  2. Error creating thumbnail: File missing
  3. Select the Purchase Requests dataset. This is the dataset that you want use to create the pivot.
    The New Pivot page appears and shows information using the Purchase Requests dataset.
  4. If your browser window is not full screen, the Apps bar is hidden. You can access the Apps bar by click the menu icon in the upper right corner of the window. The Apps bar slides down. Click the menu icon again to hide the Apps bar.

    The New Pivot editor

    The following image identifies the components of the New Pivot editor page.

    Error creating thumbnail: File missing

    Visualization types: The left-hand vertical bar contains icons that represent different visualization types. Selecting a different icon controls which Pivot builder and report interfaces display. Visualization types are: Statistics Table (default), Column Chart, Bar Chart, Scatter Chart, Bubble Chart, Area Chart, Line Chart, Pie Chart, Single Value Display, Radial Gauge, Marker Gauge, and Filler Gauge.

    Document Actions: The upper horizontal bar displays document-related actions. These actions include:

    • Save as...: Save the current report as a new one (Report) or as a dashboard panel (Dashboard Panel).
    • Clear: Reset the interface to its initial state, which will dismiss the saved report (if applicable), change the visualization type to Statistics Table, and populate the report with a single Column Value for the count of the dataset and a time filter for all time (if _time is an applicable field).
    • Data model dataset: This is the right-most button. It takes its label from the data model dataset that was selected. For example, in the screenshot it is "Purchase Requests". Use this menu to navigate back to the list of data models (Select another Data Model), navigate back to the list of data model datasets (Select another Dataset), or edit the selected data model dataset (Edit Dataset). Additionally, you can rebuild acceleration and inspect the acceleration job.
    Error creating thumbnail: File missing

    Job Actions: The Pause and Stop buttons control the progress of the Pivot job. Other actions include: Share, Export, Print, and Open in Search. Clicking Open in Search opens the Search view and runs the current search string.

    Learn more

    The topic briefly described what you need to know to access the pivot interface and build Pivots in the rest of this chapter. Read the Pivot Manual for more information.

    Next steps

    Continue to the next topic, where you will use Pivot to build a report from the Buttercup Games data models you created in a previous chapter.

Last modified on 15 September, 2017
Define child datasets
Create and save a pivot report

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters