Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Examples of useful reports

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Examples of useful reports

This section shows you some reports you can execute using data from the sampledata and _internal default indexes. Paste any of these reports into the search bar in Splunk Web to see it in action (unless otherwise noted). Some of the examples require you to substitute your own data to see meaningful results. If noted, some examples require you to install certain applications.

Note: Extract fields from search results to create reports using interactive field extraction in Splunk Web, or with the rex command in a search.


Internal Splunk log data

Create reports on Splunk internal data. Report on things like indexing performance and the CPU utilization of Splunk processes.

Indexing performance

See the indexing kps (indexing thruput):

index=_internal "group=thruput" | timechart avg(instantaneous_kbps)Search

Plot the average eps and kps by time:

index=_internal "group=thruput" | timechart avg(instantaneous_eps) avg(instantaneous_kbps)Search

CPU utilization of Splunk processes

See the CPU utilization of Splunk processes in a bar chart sorted in descending order:

index=_internal "group=pipeline" | stats sum(cpu_seconds) by processor | sort sum(cpu_seconds) descSearch


System monitoring data

Create reports on data from your system monitoring utilities with the Splunk for UNIX application. You must install Splunk for UNIX to run these reports. These samples illustrate what some of the system monitoring reports look like.

Download and install Splunk for UNIX from SplunkBase. Splunk for UNIX configures Splunk to index UNIX system monitoring utility data.

See the % CPU usage over time:

index=monitoring source=ps | multikv | timechart avg(CPU) by COMMANDSearch

See the % CPU for processes that contain the word "splunkd":

index=monitoring source=ps | multikv filter splunkd | timechart avg(CPU) by COMMANDSearch

See the % CPU used per user:

index=monitoring source=ps | multikv | timechart avg(CPU) by USERSearch


Web access data

Create reports on your web access and traffic data with these examples, or use the Splunk for Web Access application. Download and install Splunk for Web Access from SplunkBase. The Splunk for Web Access application has a large number of saved reports that you can run on your Web access data.

The following examples illustrate some of the kinds of reports you can run on Web access data with Splunk.

See the top Web clients used:

index=sampledata sourcetype=access* | top limit=100 clientipSearch

See a chart of data transferred (in bytes) by time:

index=sampledata sourcetype=access* | timechart sum(bytes)Search

Note: The following examples assume you have extracted fields for clientip and referer data in your search results.

See the number of unique visitors by hour of the day:

index=sampledata sourcetype=access* | stats dc(clientip) by date.hourSearch

See the top traffic peak hours of a day:

index=sampledata sourcetype=access* | top date.hourSearch

See the number of unique visitors by day of week:

index=sampledata sourcetype=access* | chart dc(clientip) by date.wdaySearch

See the top traffic peak days of a week:

index=sampledata sourcetype=access* | top date.wdaySearch

See the top visits by referrer:

index=sampledata sourcetype=access* | top referrerSearch

Web application data

Create reports from data of Web applications. See the top Web applications and their violations from a log:

(This example assumes you have the web_app and violation fields extracted.)

sourcetype="webbapp" | top web_app violationSearch

See the top Web applications and the top 3 violations for each application (using the sort command at the end to optionally sort the results):

sourcetype="webbapp" | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_appSearch

See the top Web applications and the top 3 violations for each application, and restrict the search to only include the top 10 Web applications (using the subsearch to pre-filter the results).

sourcetype="webbapp" [search <data source> | top 10 web_app | fields + web_app] | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_appSearch


Firewall (or connection) activity

Create reports on the connection activity of your server or firewall. You can report on any type of activity: # of connections, # of accepts, # of denies, bytes transferred.

See the top port activity:

index=sampledata | top portSearch

See the top activity of a source host ID:

index=sampledata | top SourceIdSearch

See the most active destination ports:

index=sampledata | top limit=100 dst_portSearch

See the ports with the top number of denials:

index=sampledata action=Deny | top src_portSearch


Email activity or email transactions

Create reports of email activity by applying these examples to your own email data.

Note: These examples use the rex command to extract the fields on which to report. You can also extract fields by configuring field extraction at index time.

Note: The sampledata index doesn't contain email data used to demonstrate these reports. To try these, supply email data from your own sources and tailor these examples to try these reports.

See the top senders:

sourcetype=*mail* | rex field=_raw "from: (?<from>.*)" | top fromSearch

See the unique number of recipients to whom a sender sent messages:

sourcetype=*mail* | rex field=_raw "from: (?<from>.*) to:(?<to>.*)" | stats dc(to) by fromSearch

See the top recipients of messages:

sourcetype=*mail* | rex field=_raw "from: (?<to>.*)" | top toSearch


Transaction data

For example, let's say that you have a set of purchase transaction data that looks like this: 

1216725748296,I,toystore,S,1
1216725748396,I,toystore,S,1
1216725748497,E,toystore,S,30
1216725748598,E,toystore,S,40
1216725748698,I,toystore,S,1
1216725754024,I,toystore,S,2
1216725754126,I,toywarehouse,S,2

Now, let's assume that you configure Splunk to extract the following fields from this comma-delimited data:

  • The timestamp in milliseconds since Jan 1, 1970 epoch.
  • A character code indicating logger priority (I = info, E = error).
  • The supplier name.
  • A character code indicating business stage (S = customer is searching).
  • A numerical event code indicating the outcome of the process.

With these fields, you can generate the following reports:


See a table showing the count of each supplier by logger code (priority):

* | chart count by supplier, prioritySearch

See a table showing the count of each supplier by logger code (priority). Also, rename the priority=I as successCount, and priority=E as failCount, then fill the empty values with 0:

* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0Search

See a table showing the count of each supplier by logger code with the sum of successCount and failCount as totalCount (in a 3rd column):

* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0 | eval totalCount = successCount + failCountSearch
Retrieved from "http://www.splunk.com/base/Documentation/3.4.3/User/ExamplesOfUsefulReports"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.