Reports

Reports

Splunk allows you to summarize the results of any search as a report in a separate window.

You can access the reports window in three ways:

1. After running a search, click Report on results >> located below the search bar.

2. Select Report on this field >> from any interactive field filter menu.

3. Pipe your search results into a report command, such as stats, top, and rare.

We'll cover pipes and other commands in More searches.

Report on results

Let's build a report for all firewall deny events in sampledata:

1. Search for all firewall deny events in sampledata.

2. After the results load, click Report on results >> above the timeline options. This takes you to a separate window where you can build your report.

Notice that:

• You can enter new search strings from the search bar at the top of the window.
• Splunk identifies fields from your search results and lists the field names in the Fields panel.

3. Select dst from the Fields list.

Splunk updates your search string to:

The report displays:

• A chart graphing the results (the top 100 values of dst).
• A summary of the count and events matching your search.

Notice that the options in the Series panel defines the data series for your chart. You can also choose a different chart to display your results.

Let's tune this search to report only the top 10 dst values of firewall deny events and display the series in a pie graph.

4. In the search bar, change the limit boundary to 10 and enter the search:

5. In the series panel, select display as "pie graph".

6. When you mouseover each wedge of the pie graph, an information box appears. If you have more than 10 items, the largest 10 values are shown as wedges and the remaining are grouped together as "OTHER". The full list is displayed in the table below.

The box lists the dst value and event count. If you click on the wedge, Splunk takes you back to the search results and updates your search string to include the specific field name and value you selected from the chart. Try it out!

Report on fields

Return to the search window and search for all firewall deny events in sampledata.

To report on fields:

1. Click on the Fields... menu.

2. From the list, check and apply src.

3. From the src filter menu, choose Report on this field >>.

Splunk takes you to the report window and updates your search string:

Now, you can modify your report settings.

Build new reports

From the reports window, you can also enter a new search and build new reports.

1. Search for all "access_common" data in sampledata.

2. From the resulting list of Fields, select bytes.

3. Under Series, define your data series to "show the sum of bytes vs. time split by action":

You can define a custom time range for your chart. Here, it's zoomed in to a day of data.

Note: The chart updates as you define your series.

Pick different charts

Change chart styles by selecting a type from the display as drop-down menu above the current chart. Choose from the following chart types:

• column
• line
• area
• scatter
• stacked column
• stacked area
• pie
• donut
• bubble
• heatmap

See a sample of these charts in the report gallery on our website.

Add a report to your dashboard

You can save a report just as you would any other search. When you save the search, add it to your default dashboard by checking the box at the bottom of the save dialog.

You'll see the report on the dashboard after clicking the logo to return to the home page. Dashboard searches are refreshed every tenth of the time interval (for example, a 4 hour search every 24 minutes) or every hour, whichever is shorter.

You can read more about saving searches to the dashboard in Manage saved searches.

Note: You won't see your report on your dashboard if you haven't loaded any data to your main index yet. As soon as you have data in your main index, the "getting started" links are replaced with a default dashboard including modules that are predefined in the product, plus additional searches and reports you've added.

• Was this topic useful?
• Post a comment