Define reports with the Report Builder
The Splunk Report Builder makes it easy to generate sophisticated reports using the results from any completed or finalized search. It offers a wide range of reporting options, both in terms of reporting parameters and chart types.
With the Report Builder, you don't need to have an advanced understanding of reporting commands like
timechart in order to build robust, information-rich reports. However, you can still use these commands in your search if you're more comfortable with them.
For examples of how reporting commands are used, see "About reporting commands" in the Search Manual.
The Report Builder is broken up into two stages: Define report content and Format report. Use the Define report content page to set up your initial report parameters, such as the type of report and the fields that you're reporting on.
Once you've defined these initial details, you can go to the Format report page, where Splunk generates the chart and corresponding table. On this page you can fine-tune the chart formatting, review the related table, and save, print, and export the results.
Launching the Report Builder
You can launch the report builder at any time after you've run a search in the timeline view.
Note: You can start building your report before the search completes. Splunk dynamically updates generated charts as it gathers search results.
To launch the report builder, you can:
- Click the green Create button below the timeline and choose Report.
- Click a field in the search results sidebar to bring up the interactive menu for that field. Depending on the type of field you've clicked, you'll see links to charts in the interactive menu such as Average over time, Maximum value over time, and Minimum value over time (if you've selected a numerical field) or top values by time and top values overall (if you've selected a non-numerical field). Click on one of these links, and Splunk opens the Format report page of the Report Builder, where it generates the chart described by the link.
You don't need to have a strong understanding of reporting commands to use the Report Builder, but if you do have this knowledge the range of things you can do with the Report Builder is increased.
To return to your search results page from the Report Builder, click the Back button in your browser.
Note: Keep in mind that report jobs are only preserved in the system for a set period of time. If you do not save them, they eventually expire, and you cannot generate reports for expired report jobs. For more information about job management, see "Supervise your search jobs with the Job Manager" in this manual.
If you want to save a report job, click the green Save button at the top right of the Format report page of the Report Builder and choose Save results.
Define report content
The Define report content page gives you the freedom to define your report parameters in the manner that feels most comfortable to you. If you're familiar with reporting commands and want to define your report contents using sophisticated search language, you can do that.
But you should use the default form-based mode for report content definition if you:
- are not that familiar with reporting commands.
- want to set up a report quickly and efficiently using drop-down lists and don't necessarily know what fields you can report on.
Both modes of the Define report content page display a search bar with your search loaded into it, and a time range picker list that lets you change the report time range.
Note: If you use the time range picker to change the time range for your report, take care to choose a range of time that includes the fields on which you plan to report.
Set up report contents using the form-based mode
The default form-based design of the Define report content page helps you quickly set up your reporting parameters through a set of list fields. In this mode, you cannot manually update the language in the search bar, but as you use the form to set up your reporting parameters you'll see that the search bar automatically updates with equivalent reporting commands.
There are three basic report types to choose from:
- Values over time for reports that display trends in field values over a selected time range. These reports use the
timechartreporting command. They can display as a bar, column, line, or area chart.
- Top values for reports that display the most common field values to turn up in a search. These reports use the
topcommand, and can display as a bar, column, or pie chart.
- Rare values for reports that display the most uncommon field values to turn up in a search. These reports use the
rarecommand, and can display as a bar, column, or pie chart.
Note: The grayed-out Distribution of values and Original values report types are coming in a future Splunk release. They'll handle reports that you can currently build with the Report Builder if you define your report directly using reporting commands, such as
If you choose Values over time you can define reports that involve multiple field series or split-by fields. These report types also let you define the time span for each bin.
After you define your Report type you can select the fields that you want to report on. If you've chosen a Values over time report type you'll also associate a statistical function (such as count, direct count, average, mode, median, and so on) with your primary field. (For more information about statistical functions and how they're used, see "Statistical and charting functions" in the Search Reference.
Once you have your initial report parameters set up, click Next Step: Format Report. Splunk takes you to the Format report page of the Report Builder, where it generates a version of the report using default formatting parameters.
Note: At any point during your use of the form interface you can switch over to the search language mode, to refine the reporting commands that have been appearing there. For example, say you set a Report Type of Top Values with a Fields value of Host. As you select these values, this search appears in the search bar:
... | top host limit=1000
Splunk's default limit for a top report built through the Report Builder is 1000, which means that Splunk captures the top thousand items found in the search in the resulting table and report. If you're dealing with a search that is bringing back a large number of results, you can change this default by going into search language mode (see below) and manually changing the limit to a value that better fits your needs (such as
Set up report contents using search language
If you're on the Define report content page of the Report Builder and you want to manually define the reporting language for your report, use the search language mode for that page. Click Define report using search language to enter this mode.
When you are in the search language mode, you can enter reporting commands directly into the search bar, with the freedom to make them as simple or sophisticated as your situation requires.
For examples of how reporting commands are used, see "About reporting commands" in the Search Manual.
Note: If you include reporting commands in your initial search, the Show report button that appears takes you straight to the Format report page of the Report Builder, bypassing the Define report content page entirely.
As in the form-based mode, after you have your initial report parameters set up, click Next Step: Format Report. Splunk takes you to the Format report page of the Report Builder, where it generates a version of the report using default formatting parameters.
The Format report page enables you to fine-tune the default formatting of your report. The report is broken up into two major sections:
- the Chart section, which displays your report results as a chart.
- the Table section, which displays your report results as a table.
When Splunk opens the Format report page, it generates a chart using default reporting parameters that are associated with the report type, as well as the statistical operators involved in the search. For example, if on the Define report content page you chose a Report type of Trend over time and use a count or distinct count statistical operator, Splunk renders it as a column chart by default (if you use a different statistical operator, such as average, Splunk renders a line chart instead).
Note: If you have a search that includes reporting commands and you want the chart that is generated from that search to include custom formatting (such as a pie chart in place of the default bar chart) be sure to save it as a report from the Report Builder once you have it formatted to your liking. Saved searches do not include chart formatting parameters--to get those you need a saved report. This is especially important if you are planning to base a dashboard panel on the saved report, and you expect that panel to display with your custom formatting parameters.
At the top of the Chart section you'll find the Formatting options subsection, which contains the formatting options for your chart.
In this section, you can redefine the chart type (change it from a column chart to a bar chart, for example) and select a variety of other formatting options. Under Format, toggle between General, Y-axis, and X-axis sets of formatting controls. After you make changes, click the Apply button to have Splunk regenerate your chart with your formatting changes applied to the design.
Note: When you try to fine-tune the formatting for a report after the report job that it's based upon expires, Splunk draws an empty chart. You will not have this problem if you are building a report based on a saved report job. For more information about saving search and report jobs see "Supervise your search jobs with the Job Manager" in the Knowledge Manager Manual.
Choose a chart type
Use the Chart Type drop-down list to change how Splunk visualizes your report data. The list includes the following chart types:
The Chart Type options that are actually available to you at any given time depend on the type of report that you've created. For example, if you've set up a Values over time report type on the Define report content page, then the only Chart Type values that are available to you are bar,, column, line, and area.
For more details about the types of charts that you can create with the Splunk Report Builder, see the "Visualization reference" topic in this manual. It includes visual examples of each chart type and information about the kinds of situations that each chart type is best suited for. It also tells about the commands and Report Builder steps that get you to each chart type.
For more information about why certain chart types work for some searches but not others (why you can't always use the same search to generate both a bar and a pie chart, for example), see the "Data structure requirements for visualizations" topic, in this manual.
Update general chart formatting options
The General chart formatting options available to you differ depending upon the type of chart you've selected. If you're working with a column, bar, line, or area chart, you can update the Stack mode. If you're working with a line or area chart, you can additionally adjust the way the chart displays Null values.
You can update the Chart title and Legend placement no matter what chart type you're working with.
Update X-axis and Y-axis formatting options
With the X-axis and Y-axis formatting option you can:
- Redefine the X- and Y-axis titles for the chart.
- Change the maximum and minimum values of the Y-axis for column, line, and area charts.
- Change the maximum and minimum values of the X-axis for bar charts.
- Turn display markers on and off for line and area charts.
- Switch the Y-axis scale from linear to log (as in "logarithmic") for column, line, area, scatter, and bubble charts (and do the same for the X-axis scale of bar charts).
You might decide you want to adjust the maximum and minimum values of the Y-axis (or X-axis, for bar charts) to focus on the differences between an otherwise fairly similar group of results.
For example, say you're looking at a column chart where all of the Y-axis values are between 114 and 145. You can set the minimum Y-axis value to 110, and the maximum Y-axis value to 150. This creates a chart that focuses the viewer's attention on the differences between each column while leaving out the nonessential similarities.
Similarly, putting the chart on a logarithmic scale can be handy for situations where values have wide variances. For example, you might have a column chart where most of the values come between 10 and 50, but a handful are as high as 1000. You can use the logarithmic scale to better see the differences between the lower values.
Understand basic table and chart drilldown actions
Save reports and share them with others
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18