The Pivot Editor

Splunk will start the Pivot Editor in what is referred to as pivot table mode.

In pivot table mode, the editor displays only one row that represents the object's total result count over all time, based on the type of object you've selected:

• Event type: The total number of events (selected by the object)
• Transaction type: The total number of transactions (identified by the object)
• Search type: The total number of table rows (returned by the base search in the object)

Pivot tables are defined by you using Splunk pivot elements, which are of four basic pivot element categories: Filters, Split Rows, Split Columns, and Column Values.

Only two pivot elements will be defined when you start: a filter element (always set to All time) and a column values element (always set to Count_of, which is based on the object type of your selected object, as shown in the following screenshot:).

Using the editor, you can add, define, and remove multiple pivot elements from each pivot element category to define your pivot table:

• Filters: To reduce the result count for the object
• Split rows: To split out the pivot results by rows
• Split columns: To break up field values by columns
• Column values: To show aggregate results such as counts, sums, and averages