hi twh1,
from http://docs.splunk.com/Documentation/Splunk/6.5.1/Pivot/IntroductiontoPivot: "The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations."
Instead (from http://docs.splunk.com/Documentation/Splunk/6.5.1/Report/Aboutreports): "Reports are created when you save a search or a pivot for later reuse"
In other words: a pivot is a different way to build an output (a dashboard or a report) than SPL, instead a report is an output created using SPL (creating a search) or a pivot.
I usually don't use pivots!
Pivots could be useful only to share a data set with some users that want to build own reports or dashboards without knowing SPL.
Bye.
Giuseppe
It goes, I think, to which level of abstraction you need to work with your data. Let's say you have a complex data structure such as medical claims, which is my case ; -). then you need to define the data set and the data model. If that's the case, using pivots to create your reports makes perfect sense.
The following Introduction to Pivot says -
-- How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model datasets to further subdivide the original dataset and define the fields that you want Pivot to return results on. Data models and their datasets are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data.
hi twh1,
from http://docs.splunk.com/Documentation/Splunk/6.5.1/Pivot/IntroductiontoPivot: "The Pivot tool lets you report on a specific data set without the Splunk Search Processing Language (SPL™). First, identify a dataset that you want to report on, and then use a drag-and-drop interface to design and generate pivots that present different aspects of that data in the form of tables, charts, and other visualizations."
Instead (from http://docs.splunk.com/Documentation/Splunk/6.5.1/Report/Aboutreports): "Reports are created when you save a search or a pivot for later reuse"
In other words: a pivot is a different way to build an output (a dashboard or a report) than SPL, instead a report is an output created using SPL (creating a search) or a pivot.
I usually don't use pivots!
Pivots could be useful only to share a data set with some users that want to build own reports or dashboards without knowing SPL.
Bye.
Giuseppe