Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Table datasets and the Splunk Datasets Add-on

You can create and manage table datasets if you use Splunk Enterprise and have installed the Splunk Datasets Add-on, or if you use Splunk Cloud.

Table datasets, or tables, are a type of dataset that you can create, shape, and curate for a specific purpose. You begin by defining the initial data for the table, such as an index, source type, search string, or existing dataset. Then you edit and refine that table in the Table Editor until it fits the precise shape that you and your users require for later analysis and reporting work.

After you create your table, you can continue to iterate on it over time, or you can share it with others so they can refine it further. You can also use techniques like dataset cloning and dataset extension to create new datasets that are based on datasets you have already created.

You can manage table datasets alongside other dataset types that are available to all users of Splunk Enterprise and Splunk Cloud, like data model datasets and lookups. All of these dataset types appear in the Datasets listing page.

The Splunk Datasets Add-on is preinstalled for all users of Splunk Cloud.

Default datasets functionality for Splunk Enterprise users

This table explains what all Splunk Enterprise and Splunk Cloud users can do with datasets by default.

Dataset activity Why this is useful
View dataset contents Check a dataset to determine whether it contains fields and values that you want to work with. For example, you can view lookup table files directly instead of searching their contents in the Search view.
Open datasets in Pivot With Pivot you can design a visualization-rich analytical report or dashboard panel that is based on your dataset. Pivot can also help you discover data trends and field correlations within a dataset.
Extend datasets in Search Extend your dataset as a search, modify its search string as necessary, and save the search as a report, alert, or dashboard panel.

Next steps

Additional dataset features provided by the Splunk Datasets Add-on

Splunk Enterprise users who install the Splunk Datasets Add-on gain the following datasets functionality. Cloud users get this functionality by default.

Dataset activity Why this is useful
Use the Table Editor to create tables You can design sophisticated and tightly-focused collections of event data that fit specific business needs, even if you have minimal SPL skills.
Share and refine tables over time After you create a table you can give other users read or write access to it so they can curate and refine it. For example, you can create a simple dataset, and then pass it to another user with deep knowledge of the source data to shape it for a specific use. You can also extend your dataset and let other people refine the extension without affecting the original dataset.
View field analytics The Table Editor offers a Summarize Fields view that provides analytical information about the fields in your dataset. You can use this knowledge to determine what changes you need to make to the dataset to focus it to your needs.
Extend any dataset as a table Dataset extension enables you to create tables that use the definition of any dataset type as their foundation. This enables you to create tables that are based on lookups and data model datasets and then modify those tables to fit your specific use cases.
Clone tables You can make exact copies of table datasets and save the copy with a new name. Only table datasets can be cloned.
Accelerate tables You can accelerate table datasets in a manner similar to report and data model acceleration. This can be helpful if you are using a very large dataset as the basis for a pivot report or dashboard panel. Once accelerated, the table returns results faster than it would otherwise.

Next steps

Last modified on 05 February, 2021
PREVIOUS
Explore a dataset
  NEXT
Manage table datasets

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters