Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Reporting examples

This topic builds on the searches that you ran and saved in the previous search examples to walk you through creating charts and building reports.

Splunk can dynamically update generated charts as it gathers search results. When you initiate a search, you can start building your report before the search completes. You can use the fields menu to quickly build simple pre-defined reports or use the Report Builder, which lets you define, generate, and fine-tune the format of your report, from the type of chart you want to create to the contents you want to display on this chart.

To learn more about using the report builder to define basic report parameters, format charts, and export or print finished reports, see "Define reports and generate charts" in this manual.

Back at the Flower & Gift shop, you're still building your reports. The previous searches you ran returned either a single value (for example, a count of failed errors) or a table of results (a table of products that were purchased). Now, you want to also add some visualizations to your reports of yesterday's activities:

  • The count of purchases and views for each product category
  • The count of products purchased over time
  • A trend of the count of products purchased over time

Chart of purchases and views for each product

In this example, chart the number of views and number of purchases for each type of product. Recall that you saved a similar search in a previous topic.

Let's modify it a little.

1. Run this search over the time range, Yesterday:

sourcetype=access_* method=GET | chart count AS views, count(eval(action="purchase")) AS purchases by category_id | rename views AS "Views", purchases AS "Purchases", category_id AS "Category"

Here, you use the chart command instead of the stats command. The chart command enables you to create charts and specify the x-axis with the by clause.

Reporting chart 4.3.png

2. Click on Create, and select Report... from the list.

Because you use the chart command and have already defined your report, this opens the Format report page of the Report Builder.

Format report options 4.3.png

If you see something different in this window, for example a different chart type, it's probably because you're not looking at the default settings. You don't need to worry about this though.

If your search string includes reporting commands, you access the Report Builder by clicking Show report. Splunk will jump you directly to the formatting stage of the report-building process, since your reporting commands have already defined the report.

You don't need to have a strong understanding of reporting commands to use the Report Builder, but if you do have this knowledge the range of things you can do with the Report builder is increased.

3. Under Formatting options:

  • Leave the chart type set to column.
  • Name the chart, Purchases and Views by Product Type.

Reports1.3 tutorial.png

Because you're using the chart command, you have to define the axes of the chart.

4. Under General, leave the settings as it is.

Reports1.4 tutorial.png

5. Under Format, click X-axis:

Type in "Product type" for the X-axis title.

Reports1.5 tutorial.png

6. Under Format, click Y-axis:

Type in "Count of events" for the y-axis title.

Reports1.6 tutorial.png

7. Click Apply.

Format report 4.3.png

Now you should see your chart of purchases and views formatted as a column chart with the types of products on the X-axis.

7. Click Save and select Save report... from the list.

Save report 4.3.png

The Save report dialog window opens:

Save purchviews 4.3.png

  • Name your report Purchases & Views (Yesterday).
  • Click Finish >>.

Top purchases by product name

This report requires the product_name field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

For this report, chart the number of purchases that were completed for each item yesterday.

1. Search for:

sourcetype=access_* | timechart count(eval(action="purchase")) by product_name usenull="f"

Once again, use the count() function. But also, use the usenull argument to make sure the chart only counts events that have a value for product_name.

Top purch by prod name 4.3.png

2. Click Create and select Report....

Because you used the timechart command in your search string, this takes you directly to Step 2 of report builder, where you Format your report.

3. Under Formatting options:

  • Change the chart type to column.
  • Name the chart, Top purchases by Product.
  • Change the Stack mode to Stacked.

Reports2.2 tutorial 4.3.png

Because you used the timechart command, the axes are already named: the x-axis is time and the y-axis is count of events.

4. Click Apply.

Reports2.3 tutorial 4.3.png

Each of the columns represents the different products bought in that half-hour period.

5. Click Save and select Save report...

  • Name your report Products Purchased (Yesterday).
  • Click Finish >>.

There are alternate ways to access the Report builder:
  • Click Build report in the Actions dropdown menu after you initiate a new search or run a saved search.
  • Click a field in the search results sidebar to bring up the interactive menu for that field. Depending on the type of field you've clicked, you'll see links to reports in the interactive menu such as average over time, maximum value over time, and minimum value over time (if you've selected a numerical field) or top values over time and top values overall (if you've selected a non-numerical field). Click on one of these links, and Splunk opens the Format report page of the Report Builder, where it generates the chart described by the link.

Top purchases trend

For stats and chart searches, you can add sparklines to their results tables. Sparklines are inline charts that appear within the search results table and are designed to display time-based trends associated with the primary key of each row. For more information, read "Add sparklines to your search results" in the User Manual.

This example uses sparklines to trend the count of purchases made yesterday.

This example requires the product_name field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

Run this search over the time range "Yesterday":

sourcetype=access_* | chart sparkline(count(eval(action="purchase"))) AS "Purchases Trend (Yesterday)" by product_name

This search is similar to the last two searches you just ran to build reports. It uses the chart command to count the number of purchases, count(eval(action="purchase")), made for each product, product_name. The difference here is that the count of purchases is now an argument of the sparkline() function. (Also, the results are renamed to "Purchases Trend (Yesterday)" to indicate that you are trending the count of purchases made throughout the day, yesterday.)

Top purchases sparkline2 4.3.png

Let's add this to a report to display, not only the total purchases made yesterday, but a trend of the purchases throughout the day:

sourcetype=access_* | chart sparkline(count(eval(action="purchase"))) AS "Purchases Trend (Yesterday)" count(eval(action="purchase")) AS Total by product_name | rename product_name AS "Product Name"

Top purchases sparkline 4.3.png

Save this search as, Top Purchases Trend (Yesterday).

Access saved reports

After you save a report, go << back to Search. Splunk lists all your saved reports in the Searches & Reports menu on the search dashboard:

Access saved reports 4.3.png

Save and share reports

When you're happy with the report you've created, you have a number of options for saving it and sharing it with others. Read more about saving your reports in "Save reports and share them with others".

You can also design specialized views and dashboards that include reports that you've defined. Dashboards can be made up of multiple panels that each display charts, lists, and other data that are generated by hidden, predefined searches. When you're ready, proceed to the next topic which walks you through creating and sharing a dashboard.

More search examples
Build and share a dashboard

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


I probably found a bug. Saving the reports as described, after accepting the "successfully saved":<br />- a mixture of Search and Chart window is shown<br />- I get the error message that e,g, "The saved search "Products%20Purchased%20(Yesterday)" could not be found.<br />I did save the reports as reports in an orderly manner.<br />No clue why this refers back to a saved search but could somehow be helpful.

July 31, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters