Mastering Splunk
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Pivot

You can create your Splunk reports without having to use the Splunk Enterprise Search Processing Language (SPL) by utilizing the Splunk pivot tool.

Splunk pivot is a simple drag-and-drop interface that uses (predefined) data models and data model objects. These data models (designed by the knowledge managers in an organization and discussed later in this book) are used by the pivot tool to define, subdivide, and set attributes for the event data you are interested in.

You can create a Splunk pivot table by following these steps:

  1. Go to the Splunk Home page and click on Pivot for the app workspace you want to use:
  2. Next, from the Select a Data Model page, you can then choose a specific data model (by identifying which dataset to work with):
  3. Once you select a data model, you can select the list of objects (which can be an object type of event, transaction, search, or child, and can represent a specific view or a slice of a Splunk search result) within that data model (or click on edit objects to edit or add to the objects within the data model) to work with:
  4. After you select a specific object, Splunk will take you to the pivot editor, where you can create your pivot:

The pivot editor

Splunk will start the pivot editor in what is referred to as the pivot table mode.

In the pivot table mode, the editor displays only one row that represents the object's total result count over all the time spans, based on the type of object you've selected:

  • event type: This is the total number of events (selected by the object)
  • transaction type: This is the total number of transactions (identified by the object)
  • search type: This is the total number of table rows (returned by the base search in the object)

Pivot tables are defined by you using Splunk pivot elements, which are of four basic pivot element categories: filters, split rows, split columns, and column values.

Only two pivot elements will be defined when you start a Filter element (always set to All time) and a Column Values element (always set to Count of Prior For (based on the object type) of your selected object), as shown in the following screenshot:

Using the editor, you can add, define, and remove multiple pivot elements from each pivot element category to define your pivot table:

  • Filters: This category is used to reduce the result count for the object
  • Split Rows: This category is used to split up the pivot results by rows
  • Split Columns: This category is used to break up field values by columns
  • Column Values: This category is used to show the aggregate results, such as counts, sums, and averages

Working with pivot elements

Within the pivot editor, all pivot element categories can be managed in the same way:

  1. Click on the + icon to open the element dialog, where you choose an attribute and then define how the element uses this attribute.
  2. Click on the pencil icon on the element to open the element dialog in order to edit how a pivot element is defined.
  3. Drag-and-drop elements within their pivot element categories to reorder them.
  4. Drag-and-drop the elements between pivot element categories to transfer the element to the desired pivot category (with transfers, there are some restrictions on what can and cannot be transferred by drag-and-drop).
  5. Click on the pencil icon on the element to open the element dialog and click on Remove to remove the element (or you can click on the element and shake it up and down until it turns red and then drop it—my favorite method).

The management of the pivot elements is done using the pivot element dialog. The element dialog is broken up into two steps: choose (or change) the element, and configure the element (configuration). We'll look at each category in the following sections.

Filtering your pivots

Splunk pivots can be filtered using filter elements.

Splunk supports three kinds of filter elements that can be used with pivots. It's important to understand each one of them:

  • Time: This element is always present and cannot be removed. The time defines the time range for which your pivot will return results.
  • Match: This element enables the ability to set up matching strings such as numbers, timestamps, Booleans, and IPv4 addresses (although currently only as AND but not OR matches).
  • Limit: This element enables you to restrict the number of results returned by your pivot.

Note

Note that the configuration options for the match and limit filter elements depend on the type of attribute you've chosen for the element.

上一章目录下一章