Examples of useful reports
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Examples of useful reports
This section shows you some reports you can execute using data from the sampledata and _internal default indexes. Paste any of these reports into the search bar in Splunk Web to see it in action (unless otherwise noted). Some of the examples require you to substitute your own data to see meaningful results. If noted, some examples require you to install certain applications.
Note: Extract fields from search results to create reports using interactive field extraction in Splunk Web, or with the rex command in a search.
Internal Splunk log data
Create reports on Splunk internal data. Report on things like indexing performance and the CPU utilization of Splunk processes.
Indexing performance
See the indexing kps (indexing thruput):
index=_internal "group=thruput" | timechart avg(instantaneous_kbps)Plot the average eps and kps by time:
index=_internal "group=thruput" | timechart avg(instantaneous_eps) avg(instantaneous_kbps)CPU utilization of Splunk processes
See the CPU utilization of Splunk processes in a bar chart sorted in descending order:
index=_internal "group=pipeline" | stats sum(cpu_seconds) by processor | sort sum(cpu_seconds) desc
System monitoring data
Create reports on data from your system monitoring utilities with the Splunk for UNIX application. You must install Splunk for UNIX to run these reports. These samples illustrate what some of the system monitoring reports look like.
Download and install Splunk for UNIX from SplunkBase. Splunk for UNIX configures Splunk to index UNIX system monitoring utility data.
See the % CPU usage over time:
index=monitoring source=ps | multikv | timechart avg(CPU) by COMMANDSee the % CPU for processes that contain the word "splunkd":
index=monitoring source=ps | multikv filter splunkd | timechart avg(CPU) by COMMANDSee the % CPU used per user:
index=monitoring source=ps | multikv | timechart avg(CPU) by USER
Web access data
Create reports on your web access and traffic data with these examples, or use the Splunk for Web Access application. Download and install Splunk for Web Access from SplunkBase. The Splunk for Web Access application has a large number of saved reports that you can run on your Web access data.
The following examples illustrate some of the kinds of reports you can run on Web access data with Splunk.
See the top Web clients used:
index=sampledata sourcetype=access* | top limit=100 clientipSee a chart of data transferred (in bytes) by time:
index=sampledata sourcetype=access* | timechart sum(bytes)Note: The following examples assume you have extracted fields for clientip and referer data in your search results.
See the number of unique visitors by hour of the day:
index=sampledata sourcetype=access* | stats dc(clientip) by date.hourSee the top traffic peak hours of a day:
index=sampledata sourcetype=access* | top date.hourSee the number of unique visitors by day of week:
index=sampledata sourcetype=access* | chart dc(clientip) by date.wdaySee the top traffic peak days of a week:
index=sampledata sourcetype=access* | top date.wdaySee the top visits by referrer:
index=sampledata sourcetype=access* | top referrerWeb application data
Create reports from data of Web applications. See the top Web applications and their violations from a log:
(This example assumes you have the web_app and violation fields extracted.)
sourcetype="webbapp" | top web_app violationSee the top Web applications and the top 3 violations for each application (using the sort command at the end to optionally sort the results):
sourcetype="webbapp" | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_appSee the top Web applications and the top 3 violations for each application, and restrict the search to only include the top 10 Web applications (using the subsearch to pre-filter the results).
sourcetype="webbapp" [search <data source> | top 10 web_app | fields + web_app] | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_app
Firewall (or connection) activity
Create reports on the connection activity of your server or firewall. You can report on any type of activity: # of connections, # of accepts, # of denies, bytes transferred.
See the top port activity:
index=sampledata | top portSee the top activity of a source host ID:
index=sampledata | top SourceIdSee the most active destination ports:
index=sampledata | top limit=100 dst_portSee the ports with the top number of denials:
index=sampledata action=Deny | top src_port
Email activity or email transactions
Create reports of email activity by applying these examples to your own email data.
Note: These examples use the rex command to extract the fields on which to report. You can also extract fields by configuring field extraction at index time.
Note: The sampledata index doesn't contain email data used to demonstrate these reports. To try these, supply email data from your own sources and tailor these examples to try these reports.
See the top senders:
sourcetype=*mail* | rex field=_raw "from: (?<from>.*)" | top fromSee the unique number of recipients to whom a sender sent messages:
sourcetype=*mail* | rex field=_raw "from: (?<from>.*) to:(?<to>.*)" | stats dc(to) by fromSee the top recipients of messages:
sourcetype=*mail* | rex field=_raw "from: (?<to>.*)" | top to
Transaction data
For example, let's say that you have a set of purchase transaction data that looks like this:
1216725748296,I,toystore,S,1 1216725748396,I,toystore,S,1 1216725748497,E,toystore,S,30 1216725748598,E,toystore,S,40 1216725748698,I,toystore,S,1 1216725754024,I,toystore,S,2 1216725754126,I,toywarehouse,S,2
Now, let's assume that you configure Splunk to extract the following fields from this comma-delimited data:
- The timestamp in milliseconds since Jan 1, 1970 epoch.
- A character code indicating logger priority (I = info, E = error).
- The supplier name.
- A character code indicating business stage (S = customer is searching).
- A numerical event code indicating the outcome of the process.
With these fields, you can generate the following reports:
See a table showing the count of each supplier by logger code (priority):
* | chart count by supplier, prioritySee a table showing the count of each supplier by logger code (priority). Also, rename the priority=I as successCount, and priority=E as failCount, then fill the empty values with 0:
* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0See a table showing the count of each supplier by logger code with the sum of successCount and failCount as totalCount (in a 3rd column):
* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0 | eval totalCount = successCount + failCountThis documentation applies to the following versions of Splunk: 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.