Create a report from a custom chart
In this example, you create a report that charts which products were purchased over a period of time.
This example uses the timechart
command and chart options to create and customize a chart.
This example uses the productName
field from the Enabling field lookups section of this tutorial.
If you do not configure the field lookups, the searches in this section will not produce the correct results.
- Start a new search.
- Change the time range to All time.
- Run the following search.
sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull=f useother=f
This search uses the
count()
function to count the number of events that have the fieldaction=purchase
.The search also uses the
usenull
anduseother
arguments to ensure that thetimechart
command counts events that have a value forproductName
Events that have null values for productName are not included. - Click the Visualization tab.
- Change the chart type to a Line chart.
- Use the Format drop-down to format the X-Axis, Y-Axis, and Legend to produce the following chart.
This table lists the changes made to the chart.Chart changes Setting or value Chart type Line X-Axis CustomTitle Date X-Axis Labels -45 degree angle Y-Axis Custom Title Purchases Y-Axis Interval 10 Legend Position Top - Click Save As and select Report.
- In the Save Report As dialog box, for Title type
Product Purchases over Time
. - For Description, type
The number of purchases for each product
. - For Content, select the first option Line Chart and Statistics Table.
- For Time Range Picker, keep the default setting Yes.
- In the Save Report As dialog box, for Title type
- Click Save.
- In the confirmation dialog box, click View to see the report.
Next step
Create a report from a sparkline chart
See also
timechart command in the Search Reference
Chart overview in Dashboards and Visualizations
About reports in the Reporting Manual
Create an overlay chart and explore visualization options | Create a report from a sparkline chart |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 8.2.2112, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!