Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk 6 data model restrictions based on attribute type

brettcave
Builder
‎10-30-2013 04:43 AM

I've started playing around with Splunk 6, looking at data models and pivot tables. In my data model, I have a child object that contains numeric attributes, with a root object representing a user. The child object represents repetitive events, e.g. "Profile saved" events, that might contain values like "how many times a day do you brush your teeth" and "how much do you spend on toothpaste" (for illustrative purposes).

If I configure the object with these attributes as "Numeric", and want to use the last value (to get the most recent amount that a user spends on toothpaste), I am unable to do so, because the "Values" drop-down in the Column Values section doesn't include "last" value - last, first and list are available for strings, while numeric only offers mathematical functions (sum, etc).

Is there a way to reconfigure Splunk6 to allow "last" function on numeric values (assuming that in the background, the pivot is using a stats function for this).

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-30-2013 12:14 PM

Unfortunately the contents of the "Values" drop-down is not configurable at the moment, though it's likely we will be adding more options for each data type in future releases.

In the meantime, one workaround you can try is to create a new Eval attribute that you just set equal to the original numeric attribute, but make the new attribute a string. Then in pivot you should be able do numeric operations on one and string operations on the other.

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-31-2013 07:06 AM

In what way can't you represent it numerically? Do you mean you'd like to make it the y-axis of a chart?

0 Karma
Reply

brettcave
Builder
‎10-31-2013 12:47 AM

Thanks Simon. I did try the workaround. The only problem is when you try report (graphically) on a string - you can't represent the value (numerically).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...