Splunk® Enterprise

Reporting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create and edit reports

When you create a search or a pivot that you would like to run again or share with others, you can save it as a report. This means that you can create reports from both the Search and the Pivot sides of Splunk Enterprise.

Once you create a report you can:

  • Run the report on an ad-hoc basis to review the results it returns on the report viewing page. You can get to the viewing page for a report by clicking the report's name on the Reports listing page.
  • Open the report and edit it so that it returns different data or displays its data in a different manner. Your report will open in either Pivot or Search, depending on how it was created.


In addition, if your permissions enable you to do so, you can:

Note: Permissions for reports built via Pivot must match those of the data model that was used to construct them. See "Save a search or report as a pivot," below, for more information.

Manually create a report

You can create reports via Splunk Web four ways:

  • From Search, by saving a search as a report.
  • From Pivot, by saving a pivot as a report.
  • By navigating to Settings > Searches and reports and clicking New to add a new report.
  • From a dashboard, by converting an inline-search-powered dashboard panel to a report.

See the following subsections for more information about these report creation methods.

At minimum, a report definition includes the search string and the time range associated with the search (expressed in terms of relative time modifiers). You also have to give the report a name so you can identify it in the Reports listing page and the Searches and reports page in Settings.

Save a search or pivot as a report

When you design a search or pivot that returns useful results, you can save it as a report. After you run a search or create a pivot, just click Save As and select Report to open the Save As Report dialog. The report will retain any formatting that you set up for the original search, including chart visualizations and event list display options.

Note: You can only save a search as a report when it is running, paused, finalized, or completed.

6.0 save search list.png

Here you can provide a unique title for the report and an optional description. You can also determine whether the report will include a time range picker. Inclusion of a time range picker enables users who do not have write permissions for the report to rerun it over a different time range without actually editing the report.

6.0 save as report dialog.png

If you do not provide a time range picker, the report will always run over the same time range, and the only way to change this will be for someone with edit permissions for the report to open the report in Search, change the time range, and save that edit.

Clicking Save opens the Your Report Has Been Created dialog. From here you can:

You can also just close the dialog box if you'd rather do none of these things and continue searching. Just click the "x" in the upper right-hand corner.

Note: Permissions for reports built via Pivot must match those of the data model that was used to construct them. For example, say your Splunk Enterprise instance has two apps: Search and Security. While in the context of the Security app, you use that app's External Threats data model to create a pivot-based report titled "Top Firewall Attacks by IP." The External Threats data model has permissions that are scoped to the Security app, nothing more.

When you first create the report, its permissions only allow you to see and update it. You want everyone who uses this Splunk Enterprise implementation to see the "Top Firewall Attacks by IP" report (regardless of app context), so you change its permissions to Global. Now, when you switch your app context to the Search app, you might expect to be able to access "Top Firewall Attacks by IP" from the Search app.

But you won't be able to view it. This is because the report can't be built without the External Threats data model, and that data model's permissions are still scoped to the Security app. You need to share External Threats globally in order to access and run the "Top Firewall Threats by IP" report from the Search app.

Create a new report in Settings

When you want to create a report, in general the easiest thing to do is run the search or pivot and then save it as a report, as described above. This method enables you to test the search before you save it.

However, you can also manually create new reports in the Settings section of Splunk Web.

Em settings add new search.png

1. Navigate to Settings > Searches, reports, and alerts and click New to define and add a new report.

When you define a report in Settings, you'll set it up as a "saved search." This search appears as a report on the Reports listing page when you're done (or on the Alerts listing page, if you configure it as an alert).

2. Provide a Destination app for the search.

Splunk Enterprise defaults to your current app context.

3. Give the search a Search name that is unique for the app context.

4. In the Search field, provide the search string (in the Search and enter the search Start time and End time using relative time modifiers.

If you want the search to run over all time, leave Start time and End time blank.

5. (Optional) Determine whether the search should run as Owner or run as User.

This setting determines whether the search runs with the permissions of the search Owner (the person who defined the search) or the permissions of the search User (the person who is running the search). Reports run as Owner by default.
Some searches can access data that is restricted to certain users or roles. When these searches run as Owner, they run with the permissions of the person who created the search, so anyone that runs the search can see the data that it returns. But when these searches run as User, they run with the permissions of the user, meaning that they will not return results for users whose permissions restrict them from seeing that data.
This setting currently applies to a specific context: report-backed dashboard panels that run when the dashboard page is loaded in the browser (as opposed to dashboard panels that display the results returned by the last run of a scheduled report). Reports run in any other context always run as the report owner.

6. (Optional) Enter a search description that explains what the search does or how it should be used.

7. (Optional) If your permissions enable you to do so, set up report acceleration for the search by selecting Accelerate this search and choosing an appropriate Summary range.

Report acceleration can enable a search that is normally slow-completing to complete much faster on future runs.
For more information about report acceleration, see "Accelerate reports", in this manual.
Only specific types of searches qualify for report acceleration. For detailed examples of the kinds of searches that qualify for report acceleration, see "Manage report acceleration" in the Knowledge Manager Manual.

8. (Optional) If your permissions enable you to do so, select Schedule this search to define your search as a scheduled report or alert.

This selection reveals fields that allow you to set up the search as a scheduled report or alert. You can define alert triggering conditions and set up alerting actions.
For more information about defining scheduled reports (reports that run on a schedule and which send search results via email or launch a script each time they run), see "Schedule reports" in this manual.
For more information about defining alerts see "About alerts," in the Alerting Manual.

9. (Optional) Enable summary indexing for the search.

Only certain kinds of searches qualify for summary indexing. For more information see "Enable summary indexing for a search," in the Knowledge Manager Manual.

10. Click Save to save your report.

You can edit and update searches listed on the Searches, reports and alerts page if you have "write" permissions for them. For more information about permissions, see "Manage knowledge object permissions" in the Knowledge Manager Manual.

Configure a report in savedsearches.conf

When you save a report via Splunk Web or Settings, Splunk Enterprise automatically adds a configuration stanza for that report to savedsearches.conf. The UI validates your changes, and you don't have to reboot the system to apply reports created via UI methods. But if you prefer to work with reports directly through configuration files, you certainly can.

For more information about configuring reports and alerts in savedsearches.conf, see the spec file for savedsearches.conf and the "Configure alerts in savedsearches.conf" topic in the Alerting Manual.

Convert a dashboard panel to a report

You may want to convert dashboard panels that are "powered by" inline searches to reports, so that they can have some of the advantages that report-based panels have over inline-search-powered panels, such as faster loading times due to report acceleration.

When you save a new search or a pivot as a dashboard panel, Splunk Enterprise creates a dashboard panel that is "powered by" an inline search. This means that the search that drives the dashboard is "in" the dashboard; it is not connected to a report or other external object. The benefit of this is that you can edit the search that powers the dashboard or change its visualization type without leaving the dashboard.

On the other hand, when you open an existing report in Search or Pivot (see "Edit a report," below) and then save that search or pivot as a dashboard panel, you'll have a choice of basing the panel either on an inline search or on the report that you're editing. If you choose to base the panel on the report, the panel can take on the formatting of the report as well as its acceleration, scheduling, and permissions settings.

Note: Dashboard panels based on reports can have different formatting than the reports they're associated with. See "To have a dashboard panel take on the formatting of its affiliated report."

When you edit a dashboard panel that is powered by an inline search, you have the option of converting it to a report. Doing so creates a new report based on the dashboard. You can view and edit this report via the Reports listing page (or the Searches and Reports page in Settings). The dashboard panel will remain, but you will no longer be able to edit the search that powers it from within the dashboard. On the other hand, you'll now be able to define acceleration, scheduling, and permissions settings for the report that now powers the panel.

Note: If the dashboard panel derives from a pivot, you'll also lose the ability to change the panel visualization type via the dashboard when you convert it to a report.

To convert a dashboard panel to a report

1. Click Edit for the dashboard that contains the panel you want to convert.

Icons appear at the upper right corner of each panel in the dashboard.

2. Click the Panel Properties icon for a panel based on a search or pivot and select Convert to Report.

The Panel Properties icon is the leftmost of the three panel editing icons mentioned in the previous step. Its icon indicates the panel's document type--a magnifying glass for a panel based on a search, pivoting arrows for a pivot, or a sheet of paper for a search- or pivot-based report.
The Save panel as report dialog appears.

6.0 dashpanel convert2report 1.png

3. (Optional) Provide a different Title and Description for the report than the title and description associated with the panel.

6.0 dashpanel convert2report 2.png

4. Click Save. The Splunk platform adds the report to the Reports listing page.

To have a dashboard panel take on the formatting of its affiliated report

If you convert a dashboard panel to a report and then edit the report so it uses a different visualization or has different visualization formatting, your changes will not automatically be reflected in the affiliated panel. To sync up the dashboard panel with the updated report, follow these steps:

1. Click Edit for the dashboard that contains the panel you'd like to update.

2. Click the Panel Properties icon for the panel you'd like to update. In the dropdown list that appears, select the panel/report name (the name only appears for panels that have already been converted to a report). Doing this reveals a report info screen, where you can edit various aspects of the report (permissions, acceleration, scheduling, and so on) if your permissions enable you to do so.

6.0 dashpanel report select.png

3. Click Use Report Formatting on Visualization and then confirm that you want the panel to use the report's formatting. This causes the panel to use the visualization type and formatting that you have defined for the report. For example, if the panel displays a pie chart, but the report associated with the panel was edited to display its data as a column chart, clicking Use Report Formatting on Visualization will cause the panel to display the data in the same manner as the report: a column chart.

6.0 dashpanel reportviz select 2.png

Note: In a similar manner, you can cause the panel to use the data and formatting of an entirely different report. Follow the steps above but click Select New Report instead of Use Report Formatting on Visualization. This opens the Select a New Report dialog. Choose a different report, click save, and the panel will update to display data visualized according to the selected report.

Keep in mind that your permissions determine what reports you can choose and edit.

Share your report with others

By default, any report you save is initially private and only available to you. If your permissions allow it, you can change the permissions that belong to the report when you first save it by clicking Permissions on the Your Report Has Been Created dialog. This takes you to the Edit Permissions dialog.

6.0 edit permissions dialog.png

Here, depending on your permissions, you have the ability to determine whether a report can be viewed by the users of just one app, or all users in all apps. You furthermore can set read and write permissions by role.

For example, you could make a report "globally" available to everyone that uses your Splunk Enterprise implementation. Or you could narrow the saved search permissions so that only specific roles within the current app can use it. You can also arrange for particular roles or users to have "write" access to the report, enabling them to change its underlying search or pivot, or to update its result display formatting.

You can also define or update permissions for a report by:

  • Going to the Reports listing page, clicking Edit, and selecting Permissions.
  • Going to the report viewing page (click on the report name on the Report listing page to do this), clicking Edit, and selecting Edit Permissions. (To get to the report viewing page, click on the report name on the Report listing page).
  • Navigating to Settings > Searches and reports and clicking Permissions for the report you'd like to edit.

For more information about managing report permissions see "Manage knowledge object permissions," in the Knowledge Manager Manual.

Note: If you are sharing a pivot-based report, the data model referenced by that report must be shared as well. You will receive an error message if you try to share a pivot-based report that references a private data model. For more information about sharing data models, see "Manage data models" in the Knowledge Manager Manual

Edit a report

You can easily edit an existing report. You can edit a report's definition (its search string, pivot setup, or result formatting). You can also edit its description, permissions, schedule, and acceleration settings.

To edit a report's definition

If you want to edit a report's definition, there are two ways to start, depending on whether you're on the Reports listing page or looking at the report itself.

  • If you're on the Reports listing page, locate the report you want to edit, go to the Actions column, and click Open in Search or Open in Pivot (you'll see one or the other depending on which tool you used to create the report).
  • If you've entered the report to review its results, click Edit and select Open in Search or Open in Pivot (you'll see one or the other depending on which tool you used to create the report).

Edit the definition of a report opened in Search

After you open a report in search, you can change the search string, time range, or report formatting. After you rerun the report, a Save button will be enabled towards the upper right of the report. Click this to save the report. You also have the option of saving your edited search as a new report.

Edit the definition of a report opened in Pivot

After you open a report in Pivot, change the definition of the pivot as you would like. You can add, remove, or redefine filters, split rows, split columns, or column values. You can also change the way the pivot results are formatted (change the visualization type, or fix the way a chart displays). When you are done, click Save at the upper right of the page to save your report. You also have the option of saving your edited pivot as a new report.

To edit a report's description, permissions, schedule, and acceleration settings

You can do this from the Reports listing page, or from the report viewing page. Click Edit and choose:

  • Edit Description to change the name and description of the report.
  • Edit Permissions to change the report permissions. See "Share your report with others" for more information about report permissions.
  • Edit Schedule to schedule the report or change the report schedule if it already has one. For more information, see "Schedule reports," in this manual.
  • Edit Acceleration to change the way the report is accelerated. Note: This option is only available for certain kinds of reports created in Search. For more information, see "Accelerate reports," in this manual.

Note: You can't perform these actions if you've opened the report in Search or Pivot. Save the report or return to the Reports listing page if you want to edit these aspects of the report.

Clone a report

Report cloning is a way to quickly create a report that is based on an existing report. You can then give the clone a unique name and edit it so it returns different results.

Note: You can't perform this action if you've opened the report in Search or Pivot. Save the report or return to the Reports listing page if you want to clone it.

Caution: Do not give your cloned report the same name and search string as the original report. If you do this, you create a situation where the original report and the cloned report are linked together. This means that the original report must exist in order for its clone to exist. If you delete the original report, the linked clone report disappears with it.

If you keep your clone private, you might give it the same name as its source report to take advantage of this link. When a user updates the original report, the Splunk platform updates the linked private customized clone as well.

1. Open the Reports listing page.

2. Locate a report that you want to clone and click its Edit link.

3. From the list that appears, select Clone.

The Clone window appears.

4. For New Title, provide a unique name for the cloned report.

The Splunk platform gives the cloned report the name of the original report plus the word "Clone." We recommend that you give the cloned report a unique name, especially if you plan to share it with other users.

5. (Optional) Give the cloned report a Description and set its Permissions.

Leave the Permissions set to Private if you do not want to share the cloned report with anyone else. Select Clone if you want the cloned report to have the same permissions as the original report.

6. Click Clone report to clone the report. The cloned report now appears on the Reports listing page.

Delete a report

You can delete a report from the Reports listing page or the report viewing page. Just click Edit and select Delete. Most roles can only delete reports that they have created. For more information about granting roles the ability to delete reports that they do not own, see "Disable or delete knowledge objects," in the Knowledge Manager Manual.

Note: You can't perform this action if you've opened the report in Search or Pivot. Save the report or return to the Reports listing page if you want to edit these aspects of the report.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around reports.

PREVIOUS
About reports
  NEXT
Accelerate reports

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters