Splunk Tutorial
Selected Reading
- Splunk - Discussion
- Splunk - Useful Resources
- Splunk - Quick Guide
- Splunk - Stats Command
- Splunk - Top Command
- Splunk - Sort Command
- Splunk - Monitoring Files
- Splunk - Custom Chart
- Splunk - Removing Data
- Splunk - Apps
- Splunk - Tags
- Splunk - Calculated Fields
- Splunk - Managing Indexes
- Splunk - Sparklines
- Splunk - Overlay chart
- Splunk - Basic Chart
- Splunk - Event Types
- Splunk - Search Macros
- Splunk - Subseraching
- Splunk - Knowledge Management
- Splunk - Schedules and Alerts
- Splunk - Lookups
- Splunk - Pivot & Datasets
- Splunk - Dashboards
- Splunk - Reports
- Splunk - Transforming commands
- Splunk - Search Optimization
- Splunk - Search Language
- Splunk - Sharing and Exporting
- Splunk - Time Range Search
- Splunk - Field Searching
- Splunk - Basic Searching
- Splunk - Source Types
- Splunk - Data Ingestion
- Splunk - Interfaces
- Splunk - Environment
- Splunk - Overview
- Splunk - Home
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Splunk - Pivot & Datasets
Splunk - Pivot and Datasets
Splunk can ingest different types of data sources and build tables which are similar to relational tables. These are called table dataset or just tables. They provide easy ways to analyse and filter the data and lookups, etc. These table data sets are also used in creating pivot analysis which we learn in this chapter.
Creating a Dataset
We use a Splunk Add-on named Splunk Datasets Add-on to create and manage the datasets. It can be downloaded from the Splunk website, It has to be installed by following the instructions given in the details tab in this pnk. On successful installation, we see a button named Create New Table Dataset.
Selecting a Dataset
Next, we cpck on the Create New Table Dataset button and it gives us the option to choose from the below three options.
Indexes and Source Types − Choose from an existing index or source type which are already added to Splunk through Add Data app.
Existing Datasets − You might have already created some dataset previously which you want to modify by creating a new dataset from it.
Search − Write a search query and the result can be used to create a new dataset.
In our example, we choose an index to be our source of data set as shown in the image below −
Choosing Dataset Fields
On cpcking OK in the above screen, we are presented with an option to choose the various fields we want to finally get into the Table Dataset. The _time field is selected by default and this field cannot be dropped. We choose the fields: bytes, categoryID, cpentIP and files.
On cpcking done in the above screen, we get the final dataset table with all the selected fields, as seen below. Here the dataset has become similar to a relational table. We save the dataset with save as option available in the top right corner.
Creating Pivot
We use the above dataset to create a pivot report. The pivot report reflects aggregation of values of one column with respect to the values in another column. In other words, one columns values are made into rows and another columns values are made into rows.
Choose Dataset Action
To achieve this, we first select the dataset using the dataset tab and then choose the option Visuapze with Pivot from the Actions column for that data set.
Choose the Pivot Fields
Next, we choose the appropriate fields for creating the pivot table. We choose category ID in the sppt columns option as this is the field whose values should appear as different columns in the report. Then we choose File in the Sppt Rows option as this is the field whose values should be presented in rows. The result shows count of each categoryid values for each value in the file field.
Next, we can save the pivot table as a Report or a panel in an existing dashboard for future reference.
Advertisements