TIPS & TRICKS

Table Datasets – Data Prep & Analysis without SPL

One of the highlights of Splunk Enterprise 6.5 is Table Datasets. It’s a significant breakthrough that improves productivity and unleashes the power of machine data analysis to a much broader set of users across your organization.

Go Get It! Splunk Enterprise customers need to upgrade to 6.5 then download the Splunk Datasets Add-on from Splunkbase to install the feature – and over 3000 customers have already! Splunk Cloud customers have it pre-installed as part of their standard upgrade.

With Table Datasets:

  • Power users can more easily prep data into a structured format that’s ready for downstream users to put to use for analysis
  • Occasional, non-proficient users can further refine the data, perform in-depth analysis and generate reports – all without using SPL – and without the need to return to the power users for assistance
  • Power user bandwidth and end-user proficiency are no longer bottlenecks to your organization getting the most from your data

Tables for non-proficient users:
While troubleshooting and investigation of raw machine data are focused on power users, we are excited to introduce a feature that is optimized for non-proficient Splunk users.

By non-proficient, we mean the occasional users who log in to Splunk to analyze data or get a question answered. They can’t be expected to master SPL. In their quest to get their job done anyway, they may well impose a significant workload on the Splunk admin or power users.

The first step towards this optimization is to allow users to easily transform the raw data into structured datasets such that they don’t have deal with the complexity of machine data. Table Datasets provides an intuitive interface that is designed for this.

NewTableDataset

The next step is to allow users to interact with the data. Table Datasets provides users various dropdown menus to edit, filter, clean and enrich the data without having to write SPL or learn the 100+ commands. For instance, the users can Fill Null or Empty Values by click of a button.

Newtabledataset2

Finally, the Summarize Fields view provides a statistical view of the data for analysis, and a direct link to Pivot lets the user create visualizations and reports.

Newtabledataset3

Tables for power users:
The value of Tables is certainly not limited only to non-proficient users.

  • Performance, performance, performance

We understand that performant queries and system operations is of utmost importance to the Splunk Admin. So we’ve made sure to take this into account while designing the feature. Table Datasets is built with functionality like:

  • Query Optimizer: that ensures the query running under the hood is automatically optimized.
  • Post Processing: makes sure the search job is not rerun multiple times for every command or action performed on the table editor.

dataset_app

  • Various options to share a dataset:

Admins are provided with multiple option to share their dataset. They can allow users to either

  • Extend the dataset: adopts the relationship of inheritance and the admin can continue to work on the parent dataset and the changes automatically get applied.
  • Clone: they can simply create a copy of the dataset

15datasets

  • Empower non-proficient users:

Admins can now allow non-proficient users to iterate on these prepared datasets. If they choose to extend a dataset, the entire SPL generated to create that dataset gets abstracted and all a user can see is a | from command. Thereby, not overwhelming the user any of the SPL (search processing language) technicalities.

newtabledataset4

  • Launch Tables in Search or Pivot:

Table datasets offers a tight integration with both the Search page and with pivot. Admins can now open both these interfaces either from the datasets listings page or from the table editor.

–     Open in Search: Admins can open the prepared datasets in search at any point (during creation or after saving the dataset) to invoke the troubleshooting and investigation workflow. When the search interface is invoked, the search page is launched in context. This means the optimized SPL generated during creation of the dataset is automatically populated in the search bar.

–     Open in Pivot: Admins can open the prepared datasets in pivot and invoke the analysis workflow. Again, like search, pivot carries the context (fields selected) and allows admins to analyze the data and create a dashboard or a report.

customerdata

Hema Mohan
Posted by

Hema Mohan

Join the Discussion