Solved: Clarification regarding pivot command

Justin1224 · ‎09-23-2016

Hey all,

I've just encountered the pivot command for the first time and after reading through the Splunk page on it, I am still confused as to what it does. If it helps, here is my search query:

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

Any help would be appreciated!

inventsekar · ‎09-23-2016

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

as per my understandings,
pivot Identity_Management All_Assets ---- it uses the data model.
and, it counts all assets as count, split rows category wise and sorting by count.

let us know if you have any other questions.
update - to add the photo, i edited this answer and attached it.
Fundamentally this pivot command is a wrapper around stats and xyseries. It does not add new behavior, but it may be easier to use if you are already familiar with how Pivot works.
so, assume pivot as a simple command like stats. you can see these two example pivot charts, i added the photo below -
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot

best regards,
Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar · ‎09-23-2016

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

as per my understandings,
pivot Identity_Management All_Assets ---- it uses the data model.
and, it counts all assets as count, split rows category wise and sorting by count.

let us know if you have any other questions.
update - to add the photo, i edited this answer and attached it.
Fundamentally this pivot command is a wrapper around stats and xyseries. It does not add new behavior, but it may be easier to use if you are already familiar with how Pivot works.
so, assume pivot as a simple command like stats. you can see these two example pivot charts, i added the photo below -
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot

best regards,
Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Justin1224 · ‎09-26-2016

Thank you very much for your answer!

I'm still a little confused as to what pivot does in this query. I have read the documentation on it but am still unsure.

Also, to recap what you said to see if I understand: the query is using the datamodel named "Identity_Management" and counts the instances of the field "All_Assets" and names this count as "count". (I'm unsure of what SPLITROW does.) Then sorts descending by field count.

Is that correct? Also, could you explain what the SPLITROW part does in more detail, I'm still unsure of what it does.

Thank you!

inventsekar · ‎09-26-2016

Hi Justin, i edited the answer and updated little more.. added a photo, for easy understanding..
for splitrows, can you check this once please..
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Justin1224 · ‎09-26-2016

So to clarify, pivot doesn't change any of the data shown, it's just a different method to search with?

Thanks again!

inventsekar · ‎09-26-2016

yes, exactly. Pivot does not change anything. like pie-chart, single value dashboard, pivot just creates a dashboard. thats it.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Justin1224 · ‎09-26-2016

Ok awesome thank you so much for your help.

Justin1224 · ‎09-26-2016

Sorry, one last question. In your original answer you said, "it uses the data model.
and, it counts all assets as count." What datamodel is it using? What I mean is, what part of the search query specifies the datamodel? Is it Identity_Management or All_Assets? Or both? Thanks again

Justin1224 · ‎09-26-2016

Lastly, is count(All_Assets) just getting a count of the instances of the field "All_Assets" within the data? Or is All_Assets a string?

Justin1224 · ‎09-26-2016

Sorry one final question. Why is the as capitalized (AS)? I thought that when "as" is in a search it renames a field as something else. But what does it does when it is capitalized?

Thank you again and sorry for all the questions

inventsekar · ‎09-26-2016

Hi, AS is capitalized be cause of splunk 's search syntax.

For example, on search bar, if I search for "John or Tom" (without double quotes), splunk will search as it is..or, splunk will search "John or Tom".
If I search for "John OR Tom", this will be a OR search.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Justin1224 · ‎09-27-2016

So it's the same? For example, I've seen search queries that have had in them: "dc(foo) as blah". And that query got a distinct count of the instances of the field foo and renamed it as blah. So you're saying that if the search was instead: "dc(foo) AS blah" it would do the exact same thing?

Clarification regarding pivot command

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...