Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I influence the dynamic options for filtering in pivot?

jeffland
SplunkTrust
SplunkTrust
‎07-28-2015 03:26 AM

I still haven't taken to data models and pivot entirely, and now I have found another thing that annoyed me.

Going with the data model supplied with splunk, "Splunk's Internal Audit Logs - SAMPLE", I open the root element in pivot and change the timeframe to "Last 15 Minutes" which yields about 500 results. I want to add a filter. For example, I want to limit the results to only denied events, so I click the plus next to the time range and select "action". To see which options I have, I click the drop-down arrow in the following box - and then I wait. It takes ages for Splunk to give me these options.

I don't know where these come from, but I would imagine there is a search somewhere, much like the searches that power the dynamic options of a drop-down on a dashboard. However, I can't find this search under "Activity - Jobs", and I can't seem to figure out where it is defined. It feels like this search runs over all time and not the timeframe specified for my pivot, but without the job inspector, I don't see how I could verify this, much less change it.

So please, either prove that I was blind and show me the documentation covering this aspect of pivot and data models, or reassure me that something is not as it should be. Thanks!

0 Karma
Reply

krishnarajapant
Path Finder
‎07-28-2015 06:10 AM

Hi,

You can update these datamodels by going to settings-Knowledge-Datamodels.

There you can see the datamodel definitions and appropriate searches. There you can edit the search(constraint) and add/remove fields as per your requirement.

-Krishna Rajapantula

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-29-2015 01:25 AM

That's not what I want - I want to do it on the fly, while working with pivot.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top