Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About saving and sharing reports

In the last section you learned the basics of searching in Splunk Enterprise, how to use a subsearch, and how to add field from lookup tables. This section takes you through saving searches and more search examples.

Save as a report

1. Select the time range Yesterday and run the following search. (This is the same search you ran in the previous topic "Use field lookups").

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" by clientip | rename clientip AS "VIP Customer"

Note: If your search does not return results, increase the time range of the search. For example, you can run search over the time range Last week or All Time.

2. Click Save as above the search bar and select Report.

6.3 tutorial savereport.png

This opens the Save as Report dialog.

3. Enter a Title VIP Customer.

4. (Optional) Enter a Description Buttercup Games most frequent shopper.

6.3 tutorial savereport2.png

5. Select the Statistics table icon for Content.

You have three content options: Statistics table and chart, Chart, and Statistics table.

6. To include a Time Range Picker, click Yes.

7. Click Save.

The Your report has been created dialog box opens.

There are other options in this window.

  • Continue Editing lets you refine the search and report format.
  • Add to dashboard lets you add the report to a new or existing dashboard.
  • View lets you view the report.

8. Click View.

6.1 tutorial viewsavedreport.png

View and edit saved reports

You can view and edit the saved report from its report view.

1. In the report view for "VIP Customer", click Edit.

6.1 tutorial edit reportview.png

You can open the report in the search view and edit the saved search's description, permissions, schedule, and acceleration. You can also clone, embed, and delete the report from this menu.

2. Click More Info.

6.1 tutorial moreinfo reportview.png

You can view and edit different properties of the report, including its schedule, acceleration, permissions, and embedding.

3. Look at the time range picker, located to the top left.

You saved this report with a time range picker. The time range picker lets you change the time period to run this search. For example, you can use this time range picker to run this search for the VIP Customer Week to date, Last 60 minutes, Last 24 hours just by selecting the Preset time range or defining a custom time range.

6.1 tutorial timerange reportview.png

See "About the time range picker".

Find and share saved reports

You can access your saved reports using the app navigation bar.

1. Click Reports to open the Reports listing page.

6.1 tutorial reportslist.png

When you save a new report, its Permissions are set to Private. This means that only you can view and edit the report. You can allow other apps to view, or edit, or view and edit the reports by changing its Permissions.

1. Under Actions for the VIP Customer report, click Edit and select Edit Permissions.

6.1 tutorial editpermissions reportview.png

This opens the Edit Permissions dialog box.

2. In the Edit Permissions dialog box, set Display For to App and check the box under Read for Everyone.

6.3 tutorial editpermissions report.png

This action gives everyone who has access to this app the permission to view it.

3. Click Save.

Back at the Reports listing page, you see that the Sharing for VIP Customer now reads App.

6.1 tutorial changedpermissions reportview.png

About report acceleration

If your search has a large number of events and is slow to finish, you might be able to accelerate the resulting report so it finishes faster when you run it again. This option is available when the report produced by your search qualifies for acceleration. The "VIP Customer" report does not qualify for acceleration, because it is based on a transforming search.

The sample data used in this tutorial is limited in volume and the searches throughout are run against data for one day (Yesterday). Checking this box will not affect the speed of this search and all upcoming searches you save in this Tutorial.

Read more about report acceleration and the kinds of searches that enable reports to qualify for report acceleration in the "Accelerate Reports" topic in the Reporting manual.

Next steps

Continue to run more search examples and save more reports.

Last modified on 01 February, 2016
Use field lookups
More searches and reports

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters