Splunk Cloud Platform

Search Manual

Open a non-transforming search in Pivot to create tables and charts

Searches that do not contain transforming commands return event lists that you can view in the Events tab, and you can use the Patterns tab to see the dominant patterns amongst those events. However, these non-transforming searches cannot return results in the form of statistical tables. Without statistical tables, Splunk software cannot create charts or other visualizations. This means that when you run a non-transforming search you do not get results in the Statistics or Visualization tabs.

If you run a non-transforming search and want to make tables or charts based on it, go to the Statistics or Visualization tab and open the search in Pivot.

In the Pivot Editor, you can build tables and charts without editing the original search string. As you work with the Pivot Builder to refine your visualizations, the underlying search is rerun as required so you can see the effect of your changes.

When you save a visualization that you create in the Pivot Editor as a report or dashboard panel, a corresponding data model is created. This data model is the foundation of the saved report or dashboard panel. It defines the underlying search and the fields involved in the report or dashboard panel. Without it you cannot rerun the report or view the panel that you saved.

Open a search in Pivot

  1. In the Search view, run a non-transforming search. For example:

    sourcetype=access_* status=200 action=purchase

  2. Go to the Statistics or Visualization tab and click Pivot.
  3. Select the set of fields that you want to use to build your pivot table or chart in the Pivot Builder.
    Each option displays the number of fields it represents in parenthesis:
    All Fields provides all of the fields that were discovered by the search.
    Selected Fields restricts you to the fields identified as Selected Fields for the search on the Fields tab. If you open a search in Pivot without making changes or selecting fields, the Selected Fields option provides the default selected fields: host, source, and sourcetype. To build your pivot table or chart using a different set of fields, go to the Fields tab and select the fields in the Selected Fields list before you move to the Statistics or Visualization tab and open the search in Pivot.
    Fields with at least lets you set a coverage threshold for your fieldset. For example, to work with fields that apply to the majority of your events, set the threshold to something high, like 70%. The fieldset you get in Pivot only includes fields that exist in 70% (or more) of the events returned by the search.
  4. Click Ok to go to the Pivot Editor.
  5. Build your pivot table or chart.
    The Attributes list in the pivot element types (filters, split rows, split columns, and column values) contains the fieldset that you selected in step 3.
    Note: If you navigate away from the Pivot Editor without saving your table or chart, your work is lost.
    To save your work, see the next subtopic, "Save the finished pivot table or chart."
    While in the Pivot Editor, you can click Open in Search to open the pivot search in the Search interface and edit that search. This action takes you out of the Pivot Editor and prevents you from saving any pivot table or chart you created (see the next subtopic). For more information about using the Pivot Editor to design tables, see "Design pivot tables with the Pivot Editor." For more information about using the Pivot Editor to design charts and other visualizations, see "Design pivot charts and visualizations with the Pivot Editor."

Save the finished pivot table or chart

You can save a table or chart in the Pivot Editor as a report or dashboard panel. However, Splunk software must also create a data model to support the saved report or panel. This data model is required to access the report or panel after you have saved it.

  1. In the Pivot Editor, click Save As and select either Report or Dashboard Panel.
  2. Depending on which one you choose, either the Save As Report or Save As Dashboard Panel dialog box appears.
  3. In the Save As dialog box provide information for the report or dashboard panel that you are saving.
    For more information about these fields, see the documentation on saving reports or saving dashboard panels.
  4. In the Save as dialog box type the Model Name and Model ID for the data model that will support the report or dashboard panel.
    You can manage the model that Splunk Enterprise creates through this process if your role has admin-level capabilities.
  5. Click Save to save the report or dashboard panel and create the data model.
    Click a button to view the new report or dashboard panel, or go to the new data model by clicking the name of the model.
    Click the data model name to go to the Data Model Builder, where you can change the fields associated with the model and add data model dataset to the model.

About permissions for datasets created though this method

Newly created data models are private and can only be seen and used by the person who created them. Only users with admin or power roles (or a role with equivalent permissions) can share data models. If the data model is not shared, reports or dashboard panels created with that data model cannot be shared either. In addition, data models cannot be accelerated until they are shared.

If you have created a report or dashboard panel that is for your use only, you do not have to do anything. If you want other users to be able to access the report or dashboard panel, share the related data model, if you have appropriate permissions, or have a user with admin-level permissions share it for you.

For more information about data model permissions see "Manage data models" in the Knowledge Manager Manual.

Last modified on 01 September, 2016
Drill down on tables and charts   About real-time searches and reports

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters