Splunk 6 data model restrictions based on attribut...

brettcave · ‎10-30-2013

I've started playing around with Splunk 6, looking at data models and pivot tables. In my data model, I have a child object that contains numeric attributes, with a root object representing a user. The child object represents repetitive events, e.g. "Profile saved" events, that might contain values like "how many times a day do you brush your teeth" and "how much do you spend on toothpaste" (for illustrative purposes).

If I configure the object with these attributes as "Numeric", and want to use the last value (to get the most recent amount that a user spends on toothpaste), I am unable to do so, because the "Values" drop-down in the Column Values section doesn't include "last" value - last, first and list are available for strings, while numeric only offers mathematical functions (sum, etc).

Is there a way to reconfigure Splunk6 to allow "last" function on numeric values (assuming that in the background, the pivot is using a stats function for this).

Simon_Fishel · ‎10-30-2013

Unfortunately the contents of the "Values" drop-down is not configurable at the moment, though it's likely we will be adding more options for each data type in future releases.

In the meantime, one workaround you can try is to create a new Eval attribute that you just set equal to the original numeric attribute, but make the new attribute a string. Then in pivot you should be able do numeric operations on one and string operations on the other.

Simon_Fishel · ‎10-31-2013

In what way can't you represent it numerically? Do you mean you'd like to make it the y-axis of a chart?

brettcave · ‎10-31-2013

Thanks Simon. I did try the workaround. The only problem is when you try report (graphically) on a string - you can't represent the value (numerically).

Splunk 6 data model restrictions based on attribute type

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes