Table datasets and the Splunk Datasets Add-on
You can create and manage table datasets if you use Splunk Enterprise and have installed the Splunk Datasets Add-on, or if you use Splunk Cloud.
Table datasets, or tables, are a type of dataset that you can create, shape, and curate for a specific purpose. You begin by defining the initial data for the table, such as an index, source type, search string, or existing dataset. Then you edit and refine that table in the Table Editor until it fits the precise shape that you and your users require for later analysis and reporting work.
After you create your table, you can continue to iterate on it over time, or you can share it with others so they can refine it further. You can also use techniques like dataset cloning and dataset extension to create new datasets that are based on datasets you have already created.
You can manage table datasets alongside other dataset types that are available to all users of Splunk Enterprise and Splunk Cloud, like data model datasets and lookups. All of these dataset types appear in the Datasets listing page.
The Splunk Datasets Add-on is preinstalled for all users of Splunk Cloud.
Default datasets functionality for Splunk Enterprise users
This table explains what all Splunk Enterprise and Splunk Cloud users can do with datasets by default.
| Dataset activity | Why this is useful |
|---|---|
| View dataset contents | Check a dataset to determine whether it contains fields and values that you want to work with. For example, you can view lookup table files directly instead of searching their contents in the Search view. |
| Open datasets in Pivot | With Pivot you can design a visualization-rich analytical report or dashboard panel that is based on your dataset. Pivot can also help you discover data trends and field correlations within a dataset. |
| Extend datasets in Search | Extend your dataset as a search, modify its search string as necessary, and save the search as a report, alert, or dashboard panel. |
Next steps
- Read an overview of the of the dataset types that you can explore, manage, and create. See Dataset types and usage.
- Learn about the Datasets listing page. See View and manage datasets.
- Learn about dataset extension. See Dataset extension.
Additional dataset features provided by the Splunk Datasets Add-on
Splunk Enterprise users who install the Splunk Datasets Add-on gain the following datasets functionality. Cloud users get this functionality by default.
| Dataset activity | Why this is useful |
|---|---|
| Use the Table Editor to create tables | You can design sophisticated and tightly-focused collections of event data that fit specific business needs, even if you have minimal SPL skills. |
| Share and refine tables over time | After you create a table you can give other users read or write access to it so they can curate and refine it. For example, you can create a simple dataset, and then pass it to another user with deep knowledge of the source data to shape it for a specific use. You can also extend your dataset and let other people refine the extension without affecting the original dataset. |
| View field analytics | The Table Editor offers a Summarize Fields view that provides analytical information about the fields in your dataset. You can use this knowledge to determine what changes you need to make to the dataset to focus it to your needs. |
| Extend any dataset as a table | Dataset extension enables you to create tables that use the definition of any dataset type as their foundation. This enables you to create tables that are based on lookups and data model datasets and then modify those tables to fit your specific use cases. |
| Clone tables | You can make exact copies of table datasets and save the copy with a new name. Only table datasets can be cloned. |
| Accelerate tables | You can accelerate table datasets in a manner similar to report and data model acceleration. This can be helpful if you are using a very large dataset as the basis for a pivot report or dashboard panel. Once accelerated, the table returns results faster than it would otherwise. |
Next steps
- Install the Splunk Datasets Add-on. See Install the Splunk Datasets Add-on in Install the Splunk Datasets Add-on.
- Define initial data for a new table dataset (requires add-on). See Define initial data for a new table dataset.
- Edit a table dataset (requires add-on). See Define initial data for a new table dataset.
- Accelerate a table dataset (requires add-on). See Accelerate tables.
| Explore a dataset | Manage table datasets |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Download manual
Feedback submitted, thanks!