Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About reporting commands

You can add reporting commands directly to a search string to help with the production of reports and the summarizing of search results.

A reporting command primer

This subsection covers the major categories of reporting commands and provides examples of how they can be used in a search.

The primary reporting commands are:

  • chart: used to create charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.
  • timechart: used to create "trend over time" reports, which means that _time is always the x-axis.
  • top: generates charts that display the most common values of a field.
  • rare: creates charts that display the least common values of a field.
  • stats, eventstats, and streamstats: generate reports that display summary statistics.
  • associate, correlate, and diff: create reports that enable you to see associations, correlations, and differences between fields in your data.

Note: As you'll see in the following examples, you always place your reporting commands after your search commands, linking them with a pipe operator ("|").

chart, timechart, stats, eventstats, and streamstats are all designed to work in conjunction with statistical functions. The list of available statistical functions includes:

  • count, distinct count
  • mean, median, mode
  • min, max, range, percentiles
  • standard deviation, variance
  • sum
  • first occurrence, last occurrence

To find more information about statistical functions and how they're used, see "Functions for stats, chart, and timechart" in the Search Reference Manual. Some statistical functions only work with the timechart command.

Note: All searches with reporting commands generate specific structures of data. The different chart types available in Splunk require these data structures to be set up in particular ways. For example not all searches that enable the generation of bar, column, line, and area charts also enable the generation of pie charts. Read the "Data structure requirements for visualizations" topic in the Splunk Data Visualizations Manual to learn more.

Real-time reporting

You can use Splunk's real-time search to calculate metrics in real-time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time.

Change the format of subsearch results
Create time-based charts

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters