Splunk® Enterprise

Knowledge Manager Manual

View and update a table dataset

After you define the initial data for your table dataset, you can continue to use Table Views to refine it and maintain it. You also use Table Views to make changes to existing table datasets.

Table Views includes several table dataset editing tools:

  • Work with your table in two modes:
    • Rows, which renders the dataset in a standard table format.
    • Summary, which displays statistical information for each of the fields in your table and their values.
  • Click directly on your table to make edits to your dataset. Move field columns, change field names, fix field type mismatches, and update field values.
  • Apply actions to the table that filter events, add fields, edit field names and field values, perform statistical data aggregations, and more. You can apply actions through menu selections, or by making edits directly to table elements.
  • Use a command history feature to review, edit, and undo actions that were applied to the table.
  • Click SPL to see the search language generated for each of your commands.

Get to Table Views

There are three ways to get to Table Views.

Method Details
When you define initial data for a new table dataset See Define initial data for a new table dataset.
When you edit an existing table dataset. See Edit a table dataset in Manage table datasets.
When you extend an existing dataset as a new table dataset See Extend a dataset as a new table datasetin Manage table datasets.

Table Views modes

You can edit your table in two modes: Rows mode and Summary mode.

Rows mode

Rows mode is the default Table Views mode. It displays your table dataset as a table, with fields as columns, values in cells, and sample events in rows. It displays 50 sample events from your dataset. It does not represent the results from any particular time range.

You can edit your table by applying actions to it, either by making menu selections or by making edits directly to the table.

In the context of Table Views, the Rows mode is a search tool rather than an editing tool. It does not provide a time range picker.

If you want to see a table-formatted set of results from a specific time range, see Explore a dataset.

Summary mode

Click Summary to see analytical details about the fields in the table. You can see top value distributions, null value percentages, numeric value statistics, and more.

You can apply some menu actions and commands to your table while you are in the Summary mode. You can also apply actions through direct edits, such as moving columns, renaming fields, fixing field type mismatches, and editing field values.

When you are in the Summary mode, you can view field analytics for a specific range of time using the time range picker.

The time range picker shows events from the last 24 hours by default. If your dataset has no events from the last 24 hours, it has no statistics when you open this view. To fix this, adjust the time range picker to a range where events are present.

The time range picker gives you a variety of time range definition options. You can choose a preset time range, or you can define a custom time range. For help with the time range picker, see Select time ranges to apply to your search in the Search Manual.

Table element selection options

Availability of menu actions depends on the table elements that you select. For example, some actions are only available when you select a field column.

You have the same selection options in the Rows and Summary views.

Element Applies action to How to select
Table Entire dataset Click the asterisk header at the top of the leftmost column.
Column A field Click a column header.
Multi-Column Two or more fields
  • To select multiple nonadjacent columns, hold the CTRL or CMD key and click the header row of each column you wish to select. Deselect columns by clicking them while holding CTRL or CMD.
  • To select a range of adjacent columns, click the header row of the first column, hold SHIFT, and click the header row of the last column.
Cell A field value Click a cell.
Text A portion of text within a field value. Click and drag to select text. You can select text for text and iPv4 field types.

Field types

Each field belongs to a type. There are five field types.

Some actions and commands can only be applied to fields of specific types. For example, you can apply the Round Values and Map Ranges actions only to numeric fields.

Type Icon Definition
String The icon for the string type is the letter a in an italic font. A field whose values are text strings. It can include a mix of text and numbers.
Number The icon for the number type is a hash symbol. A field whose values are purely numerical. Does not include IPv4 addresses.
Boolean The icon for the Boolean type is a large dot surrounded by a circle. A field whose values are either true or false. Alternate value pairs such as 1 and 0 or Yes and No can also be used.
IPv4 The icon for the IPv4 type is the acronym I P in all caps. A field whose value is an IPv4 address such as 192.0.2.1.
Epoch Time The icon for the Epoch Time type is a simple representation of a clockface. A field whose value is a timestamp.

Table Views automatically assigns types to fields when you define initial data for a dataset. It can also assign types to fields when you add fields to those datasets. If a field is assigned the wrong type, you can change the type by selecting the column header and using the Edit action menu.

See Apply actions through direct table edits.

Apply actions through menu selections

You can apply actions to your table or elements of your table by making selections from the action menus just above it. Many of these actions can be performed only while you are in the Rows mode, but some can be performed in either view.

The actions and commands that you can apply to your table are categorized into the following menus.

Menu Description
Edit Contains basic editorial actions, like changing field types, renaming fields, and moving or deleting fields.
Sort Sort rows by the values of a selected field.
Filter Provides actions that let you filter rows out of your dataset.
Clean Features actions that fix or change field values.
Summarize Performs statistical aggregations on your dataset.
Add new Gives you different ways to add fields to your dataset.

Apply actions through direct table edits

You can make edits to your table dataset by clicking it. Move field columns, change field names, replace field values, and fix field type mismatches.

Move a field column

You can drag field columns to new positions in your table.

  1. Select the column that you want to move.
  2. Click on the column header cell and drag the column to a new location in your table.
  3. Drop the column in its new location.

This action is not recorded in the command history sidebar.

Change a field name

  1. Double-click on the column header cell that contains the name of the field that you want to change.
  2. Enter the new field name.
    Field names cannot be blank, start with an underscore, or contain quotes, backslashes, or spaces.
  3. Click outside of the cell to complete the field name change.

Table Views records this change in the command history sidebar as a Rename field action.

Replace field values

Select a field value and replace every instance of it in its column with a new value. For example, if your dataset has an action field with a value of addtocart, you can replace that value with add to cart.

You can use this method to fill null or empty field values.

You cannot make field value replacements on an event by event basis. When you use this method to replace a value in one event in your dataset, that value is changed for that field throughout your dataset.

For example, if you have an event where the city field has a value of New York, you cannot change that value to Los Angeles just for that one event. If you change it to Los Angeles, every instance of New York in the city column also changes to Los Angeles.

  1. Double-click on a cell that contains the field value that you want to change.
  2. Edit the value or replace it entirely.
  3. Click outside of the cell to complete the field replacement. Every instance of the field value in the field's column is changed.

Table Views records this change in the command history sidebar as a Replace value action.

Fix field type mismatches

Sometimes fields have type mismatches. For example, a string field that has a lot of values with numbers in them might be mistyped as a numeric field. You can give a field the correct type by clicking on the type symbol in its column header cell.

You cannot change the type of the _time or _raw fields.

  1. Find the column header cell of the mistyped field and hover over its type icon. The cursor changes to a pointing finger.
  2. Click on the type icon.
  3. Select the type that is most appropriate for the field.

This action is not recorded in the command history sidebar.

Use the command history sidebar

The command history sidebar keeps track of the commands you apply as you apply them. You can click on a command record to reopen its command editor and change the values entered there.

When you click on a command that is not the most recent command applied, Table Views shows you how the table looked at that point in the command history.

You can edit the details of any command record in the command history. You can also delete any command in the history by clicking the X on its record. When you edit or delete a command record, you potentially can break commands that follow it. If this happens, the command history sidebar will notify you.

Click SPL to see the search processing language behind your commands. When you have SPL selected you can click Open in Search to run a search using this SPL in the Search & Reporting app.

Save a new table dataset

When you finish editing a table dataset you can click Save As to save it as a new table dataset.

When you create table datasets, always give them unique names. If you have more than one table dataset with the same name in your system you risk experiencing object name collision issues that are difficult to resolve.

For example, say you have two table datasets named Store Sales, and you share one at the global level, but leave the other one private. If you then extend the global Store Sales dataset, the dataset that is created through that extension will display the table from the private Store Sales dataset instead.

  1. Click Save As to save your table.
  2. Give your dataset a unique Name.
  3. (Optional) Enter or update the Table ID. This value can contain only letters, numbers and underscores. It cannot be changed later.
  4. (Optional) Add a dataset Description.
    Table dataset descriptions are visible in two places:
    • The Dataset listing page, when you expand the table dataset row.
    • The Explorer view of the table dataset, under the dataset name.
    You can edit the description through the Datasets page or the Explorer view by selecting Edit > Edit description.
  5. Click Save to save your changes.

After you save a new table dataset, you can choose one of three options.

Option Outcome
Close Returns you to Table Views, where you can keep editing the dataset.
View Table Opens the dataset in the Explorer view.
View Listings Takes you to the Datasets listing page.
Last modified on 25 June, 2021
Define initial data for a new table dataset   Dataset extension

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.2, 9.2.1, 9.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters