Splunk Search

Clarification regarding pivot command

Justin1224
Communicator

Hey all,

I've just encountered the pivot command for the first time and after reading through the Splunk page on it, I am still confused as to what it does. If it helps, here is my search query:

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

Any help would be appreciated!

Tags (3)
0 Karma
1 Solution

inventsekar
Ultra Champion

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

as per my understandings,
pivot Identity_Management All_Assets ---- it uses the data model.
and, it counts all assets as count, split rows category wise and sorting by count.

let us know if you have any other questions.
update - to add the photo, i edited this answer and attached it.
Fundamentally this pivot command is a wrapper around stats and xyseries. It does not add new behavior, but it may be easier to use if you are already familiar with how Pivot works.
so, assume pivot as a simple command like stats. you can see these two example pivot charts, i added the photo below -
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot
alt text

best regards,
Sekar

View solution in original post

inventsekar
Ultra Champion

| pivot Identity_Management All_Assets count(All_Assets) AS "count" SPLITROW category AS "category" | sort - count

as per my understandings,
pivot Identity_Management All_Assets ---- it uses the data model.
and, it counts all assets as count, split rows category wise and sorting by count.

let us know if you have any other questions.
update - to add the photo, i edited this answer and attached it.
Fundamentally this pivot command is a wrapper around stats and xyseries. It does not add new behavior, but it may be easier to use if you are already familiar with how Pivot works.
so, assume pivot as a simple command like stats. you can see these two example pivot charts, i added the photo below -
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot
alt text

best regards,
Sekar

Justin1224
Communicator

Thank you very much for your answer!

I'm still a little confused as to what pivot does in this query. I have read the documentation on it but am still unsure.

Also, to recap what you said to see if I understand: the query is using the datamodel named "Identity_Management" and counts the instances of the field "All_Assets" and names this count as "count". (I'm unsure of what SPLITROW does.) Then sorts descending by field count.

Is that correct? Also, could you explain what the SPLITROW part does in more detail, I'm still unsure of what it does.

Thank you!

0 Karma

inventsekar
Ultra Champion

Hi Justin, i edited the answer and updated little more.. added a photo, for easy understanding..
for splitrows, can you check this once please..
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Pivot

Justin1224
Communicator

So to clarify, pivot doesn't change any of the data shown, it's just a different method to search with?

Thanks again!

0 Karma

inventsekar
Ultra Champion

yes, exactly. Pivot does not change anything. like pie-chart, single value dashboard, pivot just creates a dashboard. thats it.

Justin1224
Communicator

Ok awesome thank you so much for your help.

0 Karma

Justin1224
Communicator

Sorry, one last question. In your original answer you said, "it uses the data model.
and, it counts all assets as count." What datamodel is it using? What I mean is, what part of the search query specifies the datamodel? Is it Identity_Management or All_Assets? Or both? Thanks again

0 Karma

Justin1224
Communicator

Lastly, is count(All_Assets) just getting a count of the instances of the field "All_Assets" within the data? Or is All_Assets a string?

0 Karma

Justin1224
Communicator

Sorry one final question. Why is the as capitalized (AS)? I thought that when "as" is in a search it renames a field as something else. But what does it does when it is capitalized?

Thank you again and sorry for all the questions

0 Karma

inventsekar
Ultra Champion

Hi, AS is capitalized be cause of splunk 's search syntax.

For example, on search bar, if I search for "John or Tom" (without double quotes), splunk will search as it is..or, splunk will search "John or Tom".
If I search for "John OR Tom", this will be a OR search.

0 Karma

Justin1224
Communicator

So it's the same? For example, I've seen search queries that have had in them: "dc(foo) as blah". And that query got a distinct count of the instances of the field foo and renamed it as blah. So you're saying that if the search was instead: "dc(foo) AS blah" it would do the exact same thing?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...