Splunk Cloud Platform

Knowledge Manager Manual

Define initial data for a new table dataset

When you create a new table dataset with Table Views, you start by defining initial data. You have three options for initial data.

An index and source type combination
You can populate your new dataset with events associated with a combination of indexes and source types.
An existing dataset
You can populate your dataset using a dataset that already exists. The dataset can be a table dataset, a data model dataset, a CSV lookup table, or a CSV lookup definition.
A search
You can base your dataset on the results of any search string, as long as it doesn't include transforming commands.

Prerequisites

  • To access the data required to create table datasets, you must have a role with the get_metadata capability.
  • If you use Splunk Analytics for Hadoop and want to create a dataset based on data from a virtual index, you must get your initial data either from a search that references the virtual index or from an existing dataset that already has the virtual index data.

Identify an index and source type combination for initial data

  1. In the Search & Reporting app, open the Datasets listing page.
  2. Click Create Table View to go to the initial data setup screen.
  3. Choose an index that you want to use for initial data. If you do not want to select a specific index, select All indexes.
  4. Select a source type that you want to use for initial data. If you do not want to select a specific source type, select All source types.

    If you select both '''All indexes''' and '''All source types''', you risk creating an overly broad dataset that contains all of the events indexed by your Splunk platform implementation, with the exception of events in _internal and other internal indexes, which you must specify by name. In general, avoid creating overly broad datasets. The datasets feature is designed for creating narrow views of data.

  5. Click Next. A preview of your dataset appears. Rows are events, columns are fields, and cells are field values.
  6. Select existing fields that you want to see in your dataset.
  7. (Optional) If you are not seeing a field choice that you are expecting, add the missing field by following these steps:
    1. At the top of the field list, click Add a missing existing field.
    2. Enter the field and click Add.
    3. Select the added field.
  8. Use the dataset preview pane to verify that this is the initial data that you want. If you do not find the existing fields or field values that you were expecting, you can remove this selection and select another one.
  9. When you are satisfied that your index, source type, and field selections provide the correct initial data for your dataset, click Start Editing to confirm your index, source type, and field selections.

Use an existing dataset for initial data

The Datasets tab lets you select an existing dataset for your initial data. You can select any dataset that you can otherwise see on the Datasets listing page, including data model datasets, lookup tables, and lookup definitions.

When you create a dataset that uses an existing dataset for initial data, you can choose between cloning and extending the existing dataset.

  1. In the Search & Reporting app, open the Datasets listing page.
  2. For the dataset that you want to clone or extend, select either Edit > Clone or Edit > Extend in Table.
    Selection Description
    Clone Creates an identical copy of the original dataset. Only table datasets can be cloned.
    Extend Creates a dataset that is extended from an existing dataset. Changes made to the original dataset propagate down to the extended dataset. All dataset types can be extended.
  3. If you are working with a lookup table file, select the fields that you want to use in your table.

    The fields you select are the only fields that will make up your dataset, along with _raw and _time, which are required. You can hover over a field to see field statistics, such as the percentage of events in the dataset that have the field and the top values for the field.

    Table datasets, data model datasets, and lookup definitions have fixed fields. When you create a new dataset by cloning or extending a dataset with fixed fields, you can't choose which of those fields you want to start with in your dataset.
  4. (Optional) If you don't see a field choice that you are expecting, add the missing field by following these steps:
    1. At the top of the field list, click Add a missing existing field.
    2. Enter the field and click Add.
    3. Select the added field.
  5. Use the dataset preview pane to verify that this is the initial data that you want. If you do not find the existing fields or field values that you were expecting, you can remove this selection and select another one.
  6. When you are satisfied that your index, source type, and field selections provide the correct initial data for your dataset, click Start Editing to confirm your index, source type, and field selections.

Provide a search string for initial data

There are two methods that you can follow to derive the search string for initial data. Once you provide the search string, the other initial data setup steps are the same.

The search string you provide must identify the fields that its search commands operate on. For example, a search that only includes commands like sendemail, highlight, or delete is invalid because those commands do not require that you identify the fields that they operate upon.

Use a search string that you created in the Search view

  1. In the Search view, create a search that returns events that you want in your table.
  2. Click Create Table View to use the search as the initial data for a new table dataset.
    Table Views opens with the search string you designed in the search field.
  3. (Optional) Add more Splunk SPL commands until you have a search that returns results that you want to use in a dataset.
  4. Click Save to open the Save As New Table box.
  5. Enter a Table Title.
  6. Click Save to save the table.

Start with a search string that extends an existing dataset

This method creates a dataset that is extended from an existing dataset. Changes made to the original dataset propagate down to the extended dataset. All dataset types can be extended.

  1. In the Search & Reporting app, open the Datasets listing page.
  2. Click Edit > Extend in Table.
  3. (Optional) Select the fields you want to see in your dataset. You can select fields whether or not the original dataset type has fixed fields.
  4. (Optional) Add more Splunk SPL commands until you have a search that returns results that you want to use in a dataset.
  5. Click Save to open the Save As New Table box.
  6. Enter a Table Title.
  7. Click Save to save the table.
Last modified on 10 September, 2024
Manage table datasets   View and update a table dataset

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters