Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I influence the dynamic options for filtering in pivot?

jeffland
SplunkTrust
SplunkTrust
‎07-28-2015 03:26 AM

I still haven't taken to data models and pivot entirely, and now I have found another thing that annoyed me.

Going with the data model supplied with splunk, "Splunk's Internal Audit Logs - SAMPLE", I open the root element in pivot and change the timeframe to "Last 15 Minutes" which yields about 500 results. I want to add a filter. For example, I want to limit the results to only denied events, so I click the plus next to the time range and select "action". To see which options I have, I click the drop-down arrow in the following box - and then I wait. It takes ages for Splunk to give me these options.

I don't know where these come from, but I would imagine there is a search somewhere, much like the searches that power the dynamic options of a drop-down on a dashboard. However, I can't find this search under "Activity - Jobs", and I can't seem to figure out where it is defined. It feels like this search runs over all time and not the timeframe specified for my pivot, but without the job inspector, I don't see how I could verify this, much less change it.

So please, either prove that I was blind and show me the documentation covering this aspect of pivot and data models, or reassure me that something is not as it should be. Thanks!

0 Karma
Reply

krishnarajapant
Path Finder
‎07-28-2015 06:10 AM

Hi,

You can update these datamodels by going to settings-Knowledge-Datamodels.

There you can see the datamodel definitions and appropriate searches. There you can edit the search(constraint) and add/remove fields as per your requirement.

-Krishna Rajapantula

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-29-2015 01:25 AM

That's not what I want - I want to do it on the fly, while working with pivot.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...