https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212293#M62136 <P>Lastly, is count(All_Assets) just getting a count of the instances of the field "All_Assets" within the data? Or is All_Assets a string? </P> Tue, 29 Sep 2020 11:09:57 GMT Justin1224 2020-09-29T11:09:57Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212285#M62128 <P>Hey all,</P> <P>I've just encountered the pivot command for the first time and after reading through the Splunk page on it, I am still confused as to what it does. If it helps, here is my search query:</P> <P>| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count</P> <P>Any help would be appreciated!</P> Tue, 29 Sep 2020 11:08:53 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212285#M62128 Justin1224 2020-09-29T11:08:53Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212286#M62129 <P>| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count</P> <P>as per my understandings, <BR /> pivot Identity_Management All_Assets ---- it uses the data model.<BR /> and, it counts all assets as count, split rows category wise and sorting by count. </P> <P>let us know if you have any other questions.<BR /> <STRONG>update -</STRONG> to add the photo, i edited this answer and attached it. <BR /> Fundamentally this pivot command is a wrapper around stats and xyseries. It does not add new behavior, but it may be easier to use if you are already familiar with how Pivot works.<BR /> so, assume pivot as a simple command like stats. you can see these two example pivot charts, i added the photo below - <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot</A><BR /> <IMG src="https://community.splunk.com/storage/temp/161172-pivot.jpg" alt="alt text" /></P> <P>best regards,<BR /> Sekar</P> Tue, 29 Sep 2020 11:09:00 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212286#M62129 inventsekar 2020-09-29T11:09:00Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212287#M62130 <P>Thank you very much for your answer!</P> <P>I'm still a little confused as to what pivot does in this query. I have read the documentation on it but am still unsure. </P> <P>Also, to recap what you said to see if I understand: the query is using the datamodel named "Identity_Management" and counts the instances of the field "All_Assets" and names this count as "count". (I'm unsure of what SPLITROW does.) Then sorts descending by field count.</P> <P>Is that correct? Also, could you explain what the SPLITROW part does in more detail, I'm still unsure of what it does.</P> <P>Thank you!</P> Tue, 29 Sep 2020 11:09:38 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212287#M62130 Justin1224 2020-09-29T11:09:38Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212288#M62131 <P>Hi Justin, i edited the answer and updated little more.. added a photo, for easy understanding.. <BR /> for splitrows, can you check this once please.. <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot">https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot</A></P> Mon, 26 Sep 2016 16:10:09 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212288#M62131 inventsekar 2016-09-26T16:10:09Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212289#M62132 <P>So to clarify, pivot doesn't change any of the data shown, it's just a different method to search with? </P> <P>Thanks again!</P> Mon, 26 Sep 2016 16:57:54 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212289#M62132 Justin1224 2016-09-26T16:57:54Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212290#M62133 <P>yes, exactly. Pivot does not change anything. like pie-chart, single value dashboard, pivot just creates a dashboard. thats it. </P> Mon, 26 Sep 2016 17:11:52 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212290#M62133 inventsekar 2016-09-26T17:11:52Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212291#M62134 <P>Ok awesome thank you so much for your help. </P> Mon, 26 Sep 2016 20:35:51 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212291#M62134 Justin1224 2016-09-26T20:35:51Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212292#M62135 <P>Sorry, one last question. In your original answer you said, "it uses the data model.<BR /> and, it counts all assets as count." What datamodel is it using? What I mean is, what part of the search query specifies the datamodel? Is it Identity_Management or All_Assets? Or both? Thanks again</P> Tue, 29 Sep 2020 11:09:54 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212292#M62135 Justin1224 2020-09-29T11:09:54Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212293#M62136 <P>Lastly, is count(All_Assets) just getting a count of the instances of the field "All_Assets" within the data? Or is All_Assets a string? </P> Tue, 29 Sep 2020 11:09:57 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212293#M62136 Justin1224 2020-09-29T11:09:57Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212294#M62137 <P>Sorry one final question. Why is the as capitalized (AS)? I thought that when "as" is in a search it renames a field as something else. But what does it does when it is capitalized?</P> <P>Thank you again and sorry for all the questions</P> Mon, 26 Sep 2016 22:21:10 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212294#M62137 Justin1224 2016-09-26T22:21:10Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212295#M62138 <P>Hi, AS is capitalized be cause of splunk 's search syntax.</P> <P>For example, on search bar, if I search for "John or Tom" (without double quotes), splunk will search as it is..or, splunk will search "John or Tom".<BR /> If I search for "John OR Tom", this will be a OR search.</P> Tue, 27 Sep 2016 04:41:09 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212295#M62138 inventsekar 2016-09-27T04:41:09Z https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212296#M62139 <P>So it's the same? For example, I've seen search queries that have had in them: "dc(foo) as blah". And that query got a distinct count of the instances of the field foo and renamed it as blah. So you're saying that if the search was instead: "dc(foo) AS blah" it would do the exact same thing?</P> Tue, 27 Sep 2016 13:50:18 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-regarding-pivot-command/m-p/212296#M62139 Justin1224 2016-09-27T13:50:18Z