Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I influence the dynamic options for filtering in pivot?

jeffland
SplunkTrust
SplunkTrust
‎07-28-2015 03:26 AM

I still haven't taken to data models and pivot entirely, and now I have found another thing that annoyed me.

Going with the data model supplied with splunk, "Splunk's Internal Audit Logs - SAMPLE", I open the root element in pivot and change the timeframe to "Last 15 Minutes" which yields about 500 results. I want to add a filter. For example, I want to limit the results to only denied events, so I click the plus next to the time range and select "action". To see which options I have, I click the drop-down arrow in the following box - and then I wait. It takes ages for Splunk to give me these options.

I don't know where these come from, but I would imagine there is a search somewhere, much like the searches that power the dynamic options of a drop-down on a dashboard. However, I can't find this search under "Activity - Jobs", and I can't seem to figure out where it is defined. It feels like this search runs over all time and not the timeframe specified for my pivot, but without the job inspector, I don't see how I could verify this, much less change it.

So please, either prove that I was blind and show me the documentation covering this aspect of pivot and data models, or reassure me that something is not as it should be. Thanks!

0 Karma
Reply

krishnarajapant
Path Finder
‎07-28-2015 06:10 AM

Hi,

You can update these datamodels by going to settings-Knowledge-Datamodels.

There you can see the datamodel definitions and appropriate searches. There you can edit the search(constraint) and add/remove fields as per your requirement.

-Krishna Rajapantula

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-29-2015 01:25 AM

That's not what I want - I want to do it on the fly, while working with pivot.

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top