Run reports

Run reports

Summarize the results of any search as a report using the report window in Splunk Web.

Access the reports window in three ways:

• After running a search, click Report on results >> located below the search bar.
• Select Report on this field >> from any interactive field filter menu.
• Pipe your search results to a reporting command (such as stats, top, or rare).

For more information about reporting with Splunk, you can watch this video.

Report on results

Run any search in Splunk Web (either with the search bar, or by running a saved search). After the results load, click Report on results >> above the timeline options. This takes you to the reports page so you can build a new report.

Select a field from the Fields list. Splunk updates your search string with | top <field name you selected> and displays a report. The default report displays:

• A chart graphing the results (the top 100 values the field you selected).
• A summary of the count and events matching your search.

Tune a report by:

• Adjusting the search string by using the search bar at the top of the page.
• Adjusting the search's timerange using the timerange selection tools under the search bar (shows the current day by default).
• Selecting fields to report on that Splunk identifies in the Fields panel.
• Defining a data series or chart style using the Series panel.

Select Back to search results to see your search results.

Report on fields

Report on any field that's in the Field menu. By default, Splunk lists host, source, sourcetype, and any indexed field in the Fields menu.

Note: Add additional fields to the Field menu by using the fields picker (Fields drop-down menu above your search results).

To report on fields:

• Click on the Fields... menu.
• From the list, check and apply src.
• From the src filter menu, choose Report on this field >>.

Splunk takes you to the report window and updates your search string:

Modify your report the same way you do when you click on Report on results.

Report using reporting commands

Create reports using the search language. Pipe your search results to a reporting command.

• Create useful graphs and time-based charts using chart and timechart.
• See the most common or least common events using top and rare.
• Create reports of statistics about your events using stats or eventstats.
• See correlations, differences, and associations between fields in your data using associate, correlate, and diff.

See examples of useful reports.

Choose different charts

Change chart styles by selecting a type from the display as drop-down menu above the current chart.

Choose from the following chart types:

• column (bar)
• line
• area
• scatter
• stacked column
• stacked area
• pie
• doughnut
• bubble
• heatmap

See samples of these charts in the report gallery.

Add a report to your dashboard

Save a report just as you would any other search. When you save a search, add it to your default dashboard by checking the box at the bottom of the save dialog.

You'll see the report on the dashboard after clicking the logo to return to the home page. Dashboard searches are refreshed every tenth of the time interval (for example, a 4 hour search every 24 minutes) or every hour, whichever is shorter.

Read more about saving searches to the dashboard in Manage saved searches.

Note: You won't see your report on your dashboard if you haven't loaded any data to your main index. As soon as you have data in your main index, the "getting started" links are replaced with a default dashboard including modules that are predefined in the product, plus additional searches and reports you've added.

Summary indexing

Summary indexing allows you to search and run reports on a smaller, specially generated summary index instead of working with a much larger original data set.

Use summary indexing to:

• Index aggregate results.
• Index running statistics (such as a running total).
• Index rare original events into a smaller index for more efficient reporting.

Learn more about summary indexing.