Splunk® Enterprise

Search Tutorial

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Save and share your reports

In the last few Parts of this tutorial, you learned the basics of searching using the Splunk software, how to use a subsearch, and how to add fields from lookup tables. Part 6 shows you how to save and share your searches and explores more detailed search examples.

The remaining Parts in this tutorial depend on you completing the steps in the section Enabling field lookups.
If you do not configure the field lookups, the searches will not produce the correct results.

Save a search as a report

Reports are created whenever you save a search. After you create a report, you can do a lot with it.

  1. Set the time range to Last 7 days and run the following search.
    This is the same search that you ran in the section Search with field lookups.

    sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename clientip AS "VIP Customer"

    If your search does not return results, increase the time range of the search. For example, you can run this search over the time range Last 30 days or All Time.

  2. Above the Search bar, click Save as and select Report.

    This screen image shows the list of "Save as" options. The list includes Report, Dashboard panel, and Alert.  Report is highlighted.

  3. In the Save As Report dialog box for Title type VIP Customer.
  4. For Description, type Buttercup Games most frequent shopper.

    This screen image shows the Save As Report dialog box with the Title and Description fields filled in as described in the steps.

  5. For Time Range Picker, click Yes.
    When you include a Time range picker in a report, it gives you the option of running the report with a different time range.
  6. Click Save.
    A confirmation dialog box opens confirming that your report has been created. From this dialog box you can perform the following actions.
    • Continue Editing. To refine the search and report format.
    • Add to Dashboard. To add the report to a new or existing dashboard.
    • View. To view the report.

  7. Click View.
    The title and description that you specified appear at the top of the report. Time range picker is also included at the top of the report. If you specified some other time range for the search, that time range appears in the report.

    This screen image shows the VIP Customer report. The title, description, and time range picker appear in the upper left corner of the report.

View and edit reports

You can view and edit reports that you have saved. You edit a report directly from within the report.

  1. In the VIP Customer report, click Edit.
    The options are to open the report in the Search view, or to edit the report description, permissions, schedule, and acceleration. You can also clone, embed, and delete the report from this menu.

    This screen image shows the options under the Edit drop-down menu.

  2. Click More Info to view information about the report.
    From the More Info menu, you can view and edit different properties of the report, including its schedule, acceleration, permissions, and embedding.

    This screen image shows the options under the More Info drop-down menu.

  3. Look at the time range picker, located at the upper left corner of the window.

    With the Time range picker, you can change the time period to run this search. For example, you can use the time range picker to run this search for the VIP Customer Week to date, Last 60 minutes, or Last 24 hours just by selecting the Preset time range or defining a custom time range.

    This screen image shows the options in the time range picker. The time range options in a report are the as the same options when you create and run a search.

Find and share reports

You can access your reports using the App bar.

  1. Click Reports to open the Reports page and view the list of reports.

    This screen image shows the Reports page. The VIP Customer report that you created is listed at the bottom.  The other reports in the list are built-in reports that come with the Splunk software.

    When you save a report, Sharing is set to Private. Only you can view and edit the report. You can allow other apps to view, edit, or both view and edit the report by changing the report permission.
  2. For the VIP Customer report, under Actions click Edit.
  3. Select Edit Permissions.

    This screen image shows the list of options under the Edit drop-down menu.


  4. In the Edit Permissions dialog box, set Display For to App.
    The display expands to show more settings.
  5. For Everyone, mark the check box under Read.
    This action gives everyone who has access to this app the permission to view the report.

    This screen image shows the Edit Permissions dialog box. There is information about the report, such as the report name and owner. There are a list of roles, including everyone, power, and user. You can set read and write permissions.

  6. Click Save.
    The Reports page appears. The Sharing setting for the VIP Customer report now reads App instead of Private.

    This screen image shows the Reports page. The Sharing setting for the VIP Customer report is highlighted to show the change to the permissions from Private to App.

Next step

Let's explore some other search examples, work with chart visualizations, and save the searches as reports, starting with Create a basic chart.

See also

In the Reporting Manual

About reports
Accelerate reports
Last modified on 01 November, 2024
Search with field lookups   Create a basic chart

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters