Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Use the Table Editor

After you define the initial data for your table dataset, you use the Table Editor to refine it and maintain it. You also use the Table Editor to make changes to existing tables.

The Table Editor includes several table dataset editing tools:

  • Work with your table in two views:
    • Preview Rows, which renders the dataset in a standard table format.
    • Summarize Fields, which displays statistical information for each of the fields in your table and their values.
  • Apply actions to the table that filter events, add fields, edit field names and field values, perform statistical data aggregations, and more. You can apply actions through menu selections, or by making edits directly to table elements.
  • Use a command history feature to review, edit, and delete actions that were applied to the table.

Get to the Table Editor

There are three ways to get to the Table Editor.

Method Details
When you define initial data for a new table dataset See Define initial data for a new table dataset.
When you edit an existing table dataset. See Manage table datasets.
When you extend a an existing dataset as a new table dataset See Manage table datasets.

See Define initial data for a new table dataset if you need help with this step of the dataset creation workflow.

Table Editor views

The Table Editor allows you to edit your table in two views. These views are named Preview Rows and Summarize Fields.

The Preview Rows view

Preview Rows is the default Table Editor view. It displays your table dataset as a table, with fields as columns, values in cells, and sample events in rows. It displays a sample 50 events from your dataset. It does not represent the results from any particular time range.

An image of the Preview Rows view of the Table Editor. The dataset contains webstore data, with user actions, product names, and prices.

You can edit your table by applying actions to it, either by making menu selections, or by making edits directly to the table.

In the context of the Table Editor, the Preview Rows view is not designed to be an editing tool rather than a search tool. It does not provide a time range picker. If you would like to see a table-formatted set of results from a specific time range, save your table and go to the Datasets listing page to open it in the Explorer view. In the Explorer view, View Results displays results from a search over a time range that you can define.

See Explore a dataset.

Alternatively, you can switch to the Summarize Fields view of the Table Editor. It has a time range picker that lets you view field statistics for specific time ranges.

The Summarize Fields view

Click Summarize Fields to see analytical details about the fields in the table. You can see top value distributions, null value percentages, numeric value statistics, and more.

An image of the Summarize Fields view of the Table Editor. It displays statistical information about webstore fields.

You can apply some menu actions and commands to your table while you are in the Summarize fields view. You can also apply actions through direct edits, such as moving columns, renaming fields, fixing field type mismatches, and editing field values.

Using the time range picker

When you are in the Summarize Fields view you can view field analytics for a specific range of time. The time range picker is near the top right side of the display.

The time range picker shows events from the last 24 hours by default. If your dataset has no events from the last 24 hours it will have no statistics when you open this view. To fix this, adjust the time range picker to a range where events are present.

The time range picker gives you a variety of time range definition options. You can choose a pre-set time range, or you can define a custom time range. For help with the time range picker, see Select time ranges to apply to your search in the Search Manual.

Table element selection options

Availability of menu actions depends on the table elements that you select. For example, some actions are only available when you select a field column.

You have the same selection options in the Preview Rows and Summarize Fields views.

Element Applies action to How to select
Table Entire dataset Click the asterisk header at the top of the leftmost column.
Column A field Click on a column header.
Multi-Column Two or more fields
  • To select multiple nonadjacent columns, hold the CTRL or CMD key and click the header row of each column you wish to select. Deselect columns by clicking on them while holding CTRL or CMD.
  • To select a range of adjacent columns, click the header row of the first column, hold SHIFT, and click the header row of the last column.
Cell A field value Click a cell.
Text A portion of text within a field value. Click and drag to select text. You can select text for text and iPv4 field types.

Field types

Each field belongs to a type. There are five field types.

Some actions and commands can only be applied to fields of specific types. For example, you can apply the Round Values and Map Ranges actions only to numeric fields.

Type Icon Definition
String The icon for the string type is the letter a in an italic font. A field whose values are text strings. It can include a mix of text and numbers.
Number The icon for the number type is a hash symbol. A field whose values are purely numerical. Does not include IPv4 addresses.
Boolean The icon for the Boolean type is a large dot surrounded by a circle. A field whose values are either true or false. Alternate value pairs such as 1 and 0 or Yes and No can also be used.
IPv4 The icon for the IPv4 type is the acronym I P in all caps. A field whose value is an IPv4 address such as 192.0.2.1.
Epoch Time The icon for the Epoch Time type is a simple representation of a clockface. A field whose value is a timestamp.

The Table Editor automatically assigns types to fields when you define initial data for a dataset. It can also assign types to fields when you add fields to those datasets. If a field is assigned the wrong type, you can change the type either by direct table edit, or by using the Edit action menu.

See Apply actions through direct table edits.

Apply actions through menu selections

You can apply actions to your table or elements of your table by making selections from the action menus just above it. Many of these actions can only be performed while you are in the Preview Rows view, but some can be performed in either view.

Detail of Table Editor showing the action menus.

Action menus

The actions and commands that you can apply to your table are categorized into the following menus.

Menu Description
Edit Contains basic editorial actions. Change field types, rename fields, move and delete fields.
Sort Sort rows by the values of a selected field.
Filter Provides actions that let you filter rows out of your dataset.
Clean Features actions that fix or change field values.
Summarize Perform statistical aggregations on your dataset.
Add new Gives you different ways to add fields to your dataset.

Apply actions through direct table edits

You can make edits to your table dataset by clicking on it. Move field columns, change field names, replace field values, and fix field type mismatches.

The following steps apply to both Table Editor views.

Move a field column

You can drag-and-drop field columns to new positions in your table.

  1. Select the column that you want to move.
  2. Click on the column header cell and drag the column to a new location in your table. When you do this, the column header cell moves with your mouse cursor.
  3. Release the mouse button to drop the column in its new location.

This action is not recorded by the Table Editor in the command history sidebar.

Change a field name

You can change a field name by double-clicking on it.

  1. Double-click on the column header cell that contains the name of the field that you want to change.
  2. Enter the new field name.
    Field names cannot be blank, start with an underscore, or contain quotes, backslashes, or spaces.
  3. Click outside of the cell to complete the field name change.

The Table Editor records this change in the command history sidebar as a Rename field action.

Replace field values

Select a field value and replace every instance of it in its column with a new value. For example, if your dataset has an action field with a value of addtocart, you can replace that value with add to cart.

You can use this method to fill null or empty field values.

You cannot make field value replacements on an event by event basis. When you use this method to replace a value in one event in your dataset, that value is changed for that field throughout your dataset.

For example, if you have an event where the city field has a value of New York, you cannot change that value to Los Angeles just for that one event. If you change it to Los Angeles, every instance of New York in the city column also changes to Los Angeles.

  1. Double-click on a cell that contains the field value that you want to change.
  2. Edit the value or replace it entirely.
  3. Click outside of the cell to complete the the field replacement. Every instance of the field value in the field's column will be changed.

The Table Editor records this change in the command history sidebar as a Replace value action.

Fix field type mismatches

Sometimes fields have type mismatches. For example, a string field that has a lot of values with numbers in them might be mistyped as a numeric field. You can give a field the correct type by clicking on the type symbol in its column header cell.

You cannot change the type of the _time or _raw fields.

  1. Find the column header cell of the mistyped field and hover over its type icon. The cursor changes to a pointing finger.
  2. Click on the type icon.
  3. Select the type that is most appropriate for the field.

This action is not recorded by the Table Editor in the command history sidebar.

Use the command history sidebar

The command history sidebar keeps track of the commands you apply as you apply them. You can click on a command record to reopen its command editor and change the values entered there.

When you click on a command that is not the most recent command applied, the Table Editor shows you how the table looked at that point in the command history.

You can edit the details of any command record in the command history. You can also delete any command in the history by clicking the X on its record. When you edit or delete a command record, you potentially can break commands that follow it. If this happens, the command history sidebar will notify you.

When you edit or delete a command that is not the most recent command applied, you can break commands that follow it. If this happens the command history sidebar will notify you.

Click SPL to see the search processing language behind your commands. When you have SPL selected you can click Open in Search to run a search using this SPL in the Search & Reporting view.

Save a new table

When you finish editing a table dataset you can click Save As to save it as a new table dataset.

Prerequisites

Steps

  1. Click Save As to save your table.
  2. Give your dataset a unique Name.
  3. (Optional) Enter or update the Table ID. This value can only contain letters, numbers and underscores. It cannot be changed later.
  4. (Optional) Add a dataset Description.
    Table dataset descriptions are visible in two places:
    • The Dataset listing page, when you expand the table dataset row.
    • The Explorer view of the table dataset, under the dataset name.
    You can edit the description through the Datasets page or the Explorer view by selecting Manage > Edit description.
  5. Click Save to save your changes.

After you save a new table, you can choose one of three options.

Option Outcome
Continue Editing Returns you to the Table Editor, where you can keep editing the dataset.
Explore Dataset Opens the dataset in the Explorer view.
Done Takes you to the Datasets listing page.

Do not create table datasets with the same name

When you create table datasets, always give them unique names. If you have more than one table dataset with the same name in your system you risk experiencing object name collision issues that are difficult to resolve.

For example, say you have two table datasets named Store Sales, and you share one at the global level, but leave the other one private. If you then extend the global Store Sales dataset, the dataset that is created through that extension will display the table from the private Store Sales dataset instead.

Last modified on 29 July, 2020
PREVIOUS
Define initial data for a new table dataset
  NEXT
Dataset extension

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters