Can I influence the dynamic options for filtering ...

jeffland · ‎07-28-2015

I still haven't taken to data models and pivot entirely, and now I have found another thing that annoyed me.

Going with the data model supplied with splunk, "Splunk's Internal Audit Logs - SAMPLE", I open the root element in pivot and change the timeframe to "Last 15 Minutes" which yields about 500 results. I want to add a filter. For example, I want to limit the results to only denied events, so I click the plus next to the time range and select "action". To see which options I have, I click the drop-down arrow in the following box - and then I wait. It takes ages for Splunk to give me these options.

I don't know where these come from, but I would imagine there is a search somewhere, much like the searches that power the dynamic options of a drop-down on a dashboard. However, I can't find this search under "Activity - Jobs", and I can't seem to figure out where it is defined. It feels like this search runs over all time and not the timeframe specified for my pivot, but without the job inspector, I don't see how I could verify this, much less change it.

So please, either prove that I was blind and show me the documentation covering this aspect of pivot and data models, or reassure me that something is not as it should be. Thanks!

krishnarajapant · ‎07-28-2015

Hi,

You can update these datamodels by going to settings-Knowledge-Datamodels.

There you can see the datamodel definitions and appropriate searches. There you can edit the search(constraint) and add/remove fields as per your requirement.

-Krishna Rajapantula

jeffland · ‎07-29-2015

That's not what I want - I want to do it on the fly, while working with pivot.

Can I influence the dynamic options for filtering in pivot?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!