Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk 6 data model restrictions based on attribute type

brettcave
Builder
‎10-30-2013 04:43 AM

I've started playing around with Splunk 6, looking at data models and pivot tables. In my data model, I have a child object that contains numeric attributes, with a root object representing a user. The child object represents repetitive events, e.g. "Profile saved" events, that might contain values like "how many times a day do you brush your teeth" and "how much do you spend on toothpaste" (for illustrative purposes).

If I configure the object with these attributes as "Numeric", and want to use the last value (to get the most recent amount that a user spends on toothpaste), I am unable to do so, because the "Values" drop-down in the Column Values section doesn't include "last" value - last, first and list are available for strings, while numeric only offers mathematical functions (sum, etc).

Is there a way to reconfigure Splunk6 to allow "last" function on numeric values (assuming that in the background, the pivot is using a stats function for this).

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-30-2013 12:14 PM

Unfortunately the contents of the "Values" drop-down is not configurable at the moment, though it's likely we will be adding more options for each data type in future releases.

In the meantime, one workaround you can try is to create a new Eval attribute that you just set equal to the original numeric attribute, but make the new attribute a string. Then in pivot you should be able do numeric operations on one and string operations on the other.

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-31-2013 07:06 AM

In what way can't you represent it numerically? Do you mean you'd like to make it the y-axis of a chart?

0 Karma
Reply

brettcave
Builder
‎10-31-2013 12:47 AM

Thanks Simon. I did try the workaround. The only problem is when you try report (graphically) on a string - you can't represent the value (numerically).

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...