Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Manage datasets

The Datasets listing page shows all of the datasets that you have access to in your Splunk implementation. You can see what types of datasets you have, who owns them, and how they are shared.

This topic covers the default capabilities of the Datasets listing page.

If the Splunk Datasets Add-on is installed, the Datasets listing page provides additional management features for table datasets. The Splunk Datasets Add-on installed by default in Splunk Cloud and Splunk Light.

For information about the table dataset features of the Datasets listing page, see Manage table datasets.

Open the Datasets listing page

In the Search app, click Datasets in the green Apps bar.

View dataset detail information

You can expand a dataset row to see details about that dataset, such as the fields contained in the dataset, or the date that the dataset was last modified. When you view the detail information of a table dataset, you can also see the datasets that that table dataset is extended from, if applicable.

  1. In the Search & Reporting app, click Datasets to open the Datasets listing page.
  2. Find a dataset that you want to review.
  3. Click the > symbol in the first column to expand the row of the dataset details.

This image displays the expanded row for a table dataset named Webstore Purchases.

Explore a dataset

Use the Explorer view to inspect a dataset and determine whether it contains information you want. The Explorer view provides tools for the exploration and management of individual datasets.

  • Explore datasets with the View Results and Summarize Fields views.
  • Use a time range picker to see what datasets contain for specific time ranges.
  • Manage dataset search jobs.
  • Export dataset contents.
  • Save datasets as scheduled reports.
  • Perform the same dataset management actions that exist on the Datasets listing page.

For information on using the Explorer view, see Explore a dataset.

Visualize a dataset with Pivot

Use Pivot to create a visualization based on your dataset. You can save the visualization as a report or as a dashboard panel. You do not need to know how to use the Splunk Search Processing Language (SPL) to use Pivot.

You can open all dataset types in Pivot.

Prerequisites

Steps

  1. In the Search & Reporting app, click Datasets.
  2. Find a dataset that you want to work with in Pivot.
  3. Select Explore > Visualize with Pivot.

You can also access Pivot from the Explorer view. See Explore a dataset.

Investigate a dataset in Search

You can create a search string that uses the from command to reference the dataset, and optionally add SPL to the search string. You can save the search as a report, alert, or dashboard panel.

The saved report, alert, or dashboard panel is extended from the original dataset through a from command reference. An extended child dataset is distinct from, but dependent on, the parent dataset from which it is extended. If you change a parent dataset, that change propagates down to all child datasets that are extended from that parent dataset.

Prerequisites

Steps

  1. In the Search & Reporting app, click Datasets to open the Datasets listing page.
  2. Locate a dataset that you want to explore in Search.
  3. Select Explore > Investigate in Search.
    The search returns results in event list format by default. Switch the results format from List to Table to see the table view of the dataset.
  4. (Optional) Update the search string with additional SPL. Do not remove the from reference.
  5. (Optional) Click Save as to save your search, and select either Report, Dashboard Panel, or Alert.
  6. (Optional) Click New Table to create a new table dataset based on the search string.

This option is only available in Splunk Cloud and Splunk Light, and in Splunk Enterprise with the Splunk Datasets Add-on installed.

Edit datasets

From the Datasets listing page you can access editing options for the different dataset types.

Dataset Type Select Result More info
Data Model Manage > Edit Data Model Opens the Data Model Editor. See Design data models.
Lookup Table Manage > Edit Lookup Table Files Opens the Lookup table files listing page in Settings. See About lookups.
Lookup Definition Manage > Edit Lookup Definition Opens the detail page for the lookup definition from the Lookup definitions listing page in Settings. See About lookups.

You cannot edit table datasets unless you use Splunk Cloud or Splunk Light, or you use Splunk Enterprise and have installed the Splunk Datasets Add-on.

See Manage table datasets.

Manage dataset permissions

Change dataset permissions to widen or restrict their availability to other users. You can set up read and write access by role, and you can make datasets globally accesible, restricted to a particular app context, or private to a single user.

By default, only the Power and Admin roles can set permissions for datasets.

Lookup table files and lookup definitions

  1. On the Datasets listing page, identify a lookup table file or lookup definition that requires permission edits.
  2. Select Manage > Edit Permissions.

For information about setting permissions for these dataset types, see Manage knowledge object permissions.

Lookup table files and lookup definitions are interdependent. Every CSV lookup definition includes a reference to a CSV lookup table file, and any CSV lookup table file can potentially be associated with multiple CSV lookup definitions. This means that each lookup table file must have permissions that are wider in scope or equal to the permissions of the lookup definitions that refer to it. For example, if your lookup table file is referenced by a lookup definition that is shared only to users of the Search app, that lookup table file must also be shared with users of the Search app, or it must be shared globally to all users. If the lookup table file is private, the lookup definition cannot connect to it, and the lookup will not work.

See About lookups and field actions.

Data model datasets

Permissions for data model datasets are set at the data model level. All datasets within a data model have the same permissions settings. There are two ways to set permissions for data models:

  • Through the Data Model Editor
  • Through the Data Models listing page in Settings

Prerequisites

Steps for setting data model dataset permissions with the Data Model Editor

  1. In the Search & Reporting app, click Datasets to open the Datasets listing page.
  2. Identify the data model dataset for which you want to update permissions.
  3. Select Manage > Edit data model.
  4. Select Edit > Edit permissions to set permissions for the data model that your selected data model dataset belongs to.
  5. (Optional) Change the audience that you want the data model to Display for. It can display for users of a specific App or users of All apps.
  6. (Optional) If the data model displays for an App or All apps, you can change the Read and Write settings that determine which roles can view or edit the data model.
  7. Click Save or Cancel.

Steps for setting data model dataset permissions with the Data Models listing page in Settings

  1. Select Settings > Data models.
  2. Identify the data model for which you would like to change permissions.
  3. Select Edit > Edit permissions to set permissions for the data model that your selected data model dataset belongs to.
  4. (Optional) Change the audience that you want the data model to Display for. It can display for users of a specific App or users of All apps.
  5. (Optional) If the data model displays for an App or All apps, you can change the Read and Write settings that determine which roles can view or edit the data model.
  6. Click Save or Cancel.

Share private lookup and data model datasets that you do not own

If you want to share a private dataset that you do not own, you can change its permissions though the appropriate management page in Settings. You cannot see private datasets that you do not own in the Datasets listing page.

Steps

  1. Select the Settings page for the type of data model that you are looking for, such as Settings > Lookups > Lookup table files.
  2. Locate the dataset that you want to share and select Edit > Edit Permissions.
  3. Share the dataset at the App or All apps level, and set read/write permissions as necessary.
  4. Click Save.

When you return to the Datasets listing page you see that the dataset is visible and has the new permissions that you set for it.

Delete datasets

You can delete lookups and table datasets through the Datasets listing page. You can delete a data model dataset from the Data Model editor.

Lookups and table datasets

  1. In the Search & Reporting app, click Datasets to open the Datasets listing page.
  2. Locate a lookup or table dataset that you want to delete.
  3. Select Manage > Delete.
  4. On the Delete Dataset dialog, click Delete again to verify that you want to delete the dataset.

Data model datasets

  1. In the Search & Reporting app, click Datasets to open the Datasets listing page.
  2. Locate a data model dataset that you want to delete.
  3. Select Manage > Edit Dataset.
  4. In the Data Model Editor, click Delete for the data model dataset.
Last modified on 29 July, 2020
PREVIOUS
Dataset types and usage
  NEXT
Explore a dataset

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters