Splunk® Enterprise
Pivot Manual
- Documentation
- Splunk® Enterprise
- Pivot Manual
- Introduction to Pivot
Pivot Overview
- Introduction to Pivot
Building Pivots
- Design pivot tables with the Pivot Editor
- Design pivot charts and visualizations with the Pivot Editor
- Query Pivot multiple columns
- Pivot/UnPivot Data from json msg
- How to pivot convert in Splunk?
- convert pivot table into stats
- How to create a pivot table in a dashboard from a ...
- pivot | where
- Pivot table filter flexibility?
- two searches in pivot
- Excel Like Pivot Table
- Create a Pivot Table
Read more...
The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations.
How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model datasets to further subdivide the original dataset and define the fields that you want Pivot to return results on. Data models and their datasets are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data.
For example, you can have a data model that tracks email server information, with datasets representing emails sent and emails received. If you want to focus on patterns in your sent email, select the "Email Activity" data model and choose the "Emails Sent" dataset.
For an in-depth conceptual overview of data models and data model datasets, see About data models.
Creating a pivot:
There are two ways to navigate to the Pivots view:
- Through the Datasets page
- Through the Data Model listing page, via Settings
Steps
| From | What to do |
|---|---|
| Datasets page |
|
| Settings > Data Models |
|
If you view Pivot in smaller browser windows, the Search & Reporting app's navigation bar is hidden. To use the navigation bar, click the menu icon on the upper right. The navigation bar slides down.
After you select a dataset, Splunk Web takes you to the Pivot Editor where you can create a pivot using the fields that are available to you. Your pivot can take the form of a table or chart. Go to the "Design pivots with the Pivot Editor" topic in this manual to learn how to use the Pivot Editor to create a table, chart, or other visualization with Pivot.
About datasets, briefly
The precise composition of a dataset is determined by the type of dataset you choose and the way the dataset has been defined by your data model administrator. There are four dataset types:
- Event datasets represent a set of events. Root event datasets are defined by constraints (see below).
- Transaction datasets represent transactions--groups of events that are related in some way, such as events related to a firewall intrusion incident, or the online reservation of a hotel room by a single customer.
- Search datasets represent the results of an arbitrary search. Search datasets are typically defined by searches that use transforming or streaming commands to return results in table format, and they contain the results of those searches.
- Child datasets can be added to any dataset. They represent a subset of the dataset encompassed by their parent dataset. You may want to base a pivot on a child dataset because it represents a specific chunk of data--exactly the chunk you need to work with for a particular report.
Dataset constraints and fields
What are constraints and fields?
Constraints are simple searches that define the dataset that a dataset represents. They are used by root event datasets and all child datasets to define the dataset that they represent. All child datasets inherit constraints from their parent datasets, and have a new constraint of their own. This additional constraint ensures that they each inherit a subset of their parent dataset's dataset.
For example, you could have a root event dataset titled "Error events" where the constraint is simply: "error". This dataset would potentially include all of the events in your system that include the string "error"; it would return the same events as a search for "error".
Most event datasets have constraints that are more complex than that, but often not by much. For example, the sample data model "Splunk's Internal Server Logs" includes a child event dataset named "Search Load - Users." It contains events that track the number of concurrent searches being run by users. The inherited constraints for this dataset boil down to the following search:
index=_internal source=*metrics_log*
This search returns metrics log events from the _internal index. The child dataset then has this additional constraint:
group=search_concurrency user=*
This further narrows down the set of events represented by the dataset to metrics log events from the _internal index that have a group field value of concurrency and a user field with any value.
Event dataset definitions also identify the fields that appear in their event data. Fields are associated with a specific dataset. Some fields will map directly to the dataset's event data; others are calculated fields or are added to the dataset's events with the help of lookups and regular expressions.
Each child dataset inherits the fields that belong to its parent dataset. Child datasets can include additional fields that are not part of the parent dataset definition.
For a more detailed explanation of data models, datasets, dataset constraints, and dataset fields, see "About data models" in the Knowledge Manager Manual.
What's in this manual?
This manual shows you how to use the Pivot Editor to generate useful tables, charts, and other visualizations of your important event data. The pivots that you create can be saved as reports or dashboard panels.
This manual's topics include:
- Design pivot tables with the Pivot Editor - Learn how to use the Pivot Editor to generate tables, charts, and other representations of your data.
- Design pivot charts and visualizations with the Pivot Editor
Last modified on 29 March, 2024
| Design pivot tables with the Pivot Editor |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1
Download manual
Download this page
Back To Top
Introduction to Pivot
- About datasets, briefly
- Dataset constraints and fields
- What's in this manual?
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »
Closing this box indicates that you accept our Cookie Policy.
