Define reports and generate charts

Define reports and generate charts

Splunk's Report Builder makes it easy to generate sophisticated reports using the results from any completed or finalized search. It offers a wide range of reporting options, both in terms of reporting parameters and chart types.

With the Report Builder, you don't need to have an advanced understanding of reporting commands like stats, top, chart, and timechart in order to build robust, information-rich reports. However, you can still use these commands in your search if you're more comfortable with them.

For examples of how reporting commands are used, see "Use reporting commands" in this manual.

The Report Builder is broken up into two stages: Define Report Contents and Format Report. Use the Define Report Contents page to set up your initial report parameters, such as the type of report and the fields that you're reporting on.

Once you've defined these initial details, you can go to the Format Report page, where Splunk generates the chart and corresponding table. On this page you can fine-tune the chart formatting, review the related table, and save, print, and export the results.

If you're not sure how to launch the Report Builder, see "Launching the Report Builder" in this manual.

Define report contents

The Define Report Contents page gives you the freedom to define your report parameters in the manner that feels most comfortable to you. If you're familiar with reporting commands and want to define your report contents using sophisticated search language, you can do that.

But you should use the default form-based mode for report content definition if you:

• are not that familiar with reporting commands.
• want to quickly and efficiently set up a report using drop-down lists and don't necessarily know what fields you can report on.

Both modes of the Define Report Contents page display a search bar with your search preloaded into it, and a time range picker list that lets you change the report time-range.

Note: If you use the time range picker to change the time range for your report, take care to choose a range of time that includes the fields on which you plan to report.

Set up report contents using the form-based mode

The form-based mode of the Define report content page helps you quickly set up your reporting parameters through a set of list fields. In this mode, you cannot manually update the language in the search bar, but as you use the form to set up your reporting parameters you'll see that the search bar automatically updates with equivalent reporting commands.

There are three basic report types to choose from:

• Values over time for reports that display trends in field values over a selected time range. These reports use the timechart reporting command. They can display as a bar, column, line, or area chart.
• Top values for reports that display the most common field values to turn up in a search. These reports use the top command, and can display as a bar, column, or pie chart.
• Rare values for reports that display the most uncommon field values to turn up in a search. These reports use the rare command, and can display as a bar, column, or pie chart.

Note: The grayed-out Distribution of values and Original values report types are coming in a future Splunk release. They'll handle reports that you can currently build with the Report Builder if you define your report directly using reporting commands, such as chart.

If you choose Values over time you can define reports that involve multiple field series or split-by fields. These report types also let you define the time span for each bin.

After you define your Report Type you can select the fields that you want to report on. If you've chosen a Values over time report type you'll also associate a statistical operator (such as count, direct count, average, mode, median, and so on) with your primary field.

Once you have your initial report parameters set up, click Next Step: Format Report. Splunk takes you to the Format report page of the Report Builder, where it generates a version of the report using default formatting parameters.

Note: At any point during your use of the form interface you can switch over to the search language mode, to refine the reporting commands that have been appearing there. For example, say you set a Report Type of Top Values with a Fields value of Host. As you select these values, this search appears in the search box:

Splunk's default limit for a top report built through the Report Builder is 1000, which means that Splunk captures the top thousand items found in the search in the resulting table and report. If you're dealing with a search that is bringing back a large number of results, you can change this default by going into search language entry mode (see below) and manually changing the limit to a value that better fits your needs (such as limit=20).

Set up report contents using search language

If you're on the Define report content page of the Report Builder and you want to manually define the reporting language for your report, use the search language entry mode for that page. Click Define report using search language to enter this mode.

When you are in the search language entry mode, you can enter reporting commands directly into the search bar, with the freedom to make them as simple or sophisticated as your situation requires.

For examples of how reporting commands are used, see "Use reporting commands" in this manual.

Note: If you include reporting commands in your initial search, the Show report button that appears takes you straight to the Format report page of the Report Builder, bypassing the 'Define report content page entirely.

As in the form-based mode, once you have your initial report parameters set up, click Next Step: Format Report. Splunk takes you to the Format report page of the Report Builder, where it generates a version of the report using default formatting parameters.

Format reports

The Format report page enables you to fine-tune the default formatting of your report. The report is broken up into two major sections:

• the Chart section, which displays your report results as a chart.
• the Table section, which displays your report results as a table.

When Splunk opens the Format report page, it generates a chart using default reporting parameters that are associated with the report type, as well as the statistical operators involved in the search. For example, if on the Define Report Contents page you chose a Report type of Trend over time and use a count or distinct count statistical operator, Splunk renders it as a column chart by default. (If you use a different statistical operator, such as average, Splunk renders a line chart instead.)

Note: If you have a search that includes reporting commands and you want the chart that is generated from that search to include custom formatting (such as a pie chart in place of the default bar chart) be sure to save it as a report from the report builder once you have it formatted to your liking. Saved searches do not include chart formatting parameters--to get those you need a saved report. This is especially important if you are planning to base a dashboard panel on the saved report, and you expect that panel to display with your custom formatting parameters.

At the top of the Chart section you'll find the Formatting options subsection, which contains the formatting options for your chart.

In this section, you can redefine the chart type (change it from a column chart to a bar chart, for example) and select a variety of other formatting options. Under Format, toggle between General, Y-axis, and X-axis sets of formatting controls. After you make changes, click the Apply button to have Splunk regenerate your chart with your formatting changes applied to the design.

Note: When you try to fine-tune the formatting for a report after the report job that it's based upon expires, Splunk draws an empty chart. You will not have this problem if you are building a report based on a saved report job. For more information about saving search and report jobs see Managing Jobs in this manual.

Choose a chart type

Use the Chart Type drop-down list to change how Splunk visualizes your report data. The list includes the following chart types:

• column
• bar
• line
• area
• pie
• scatter
• bubble (disabled in current version)

The Chart Type options that are actually available to you at any given time depend on the type of report that you've created. For example, if you've set up a Values over time report type on the Define Report Contents page, then the only Chart Type values that are available to you are column, line, and area.

For more details about the types of charts that you can create with the Splunk Report builder see the "Chart gallery" topic in this manual. It includes visual examples of each chart type and information about the kinds of situations that each chart type is best suited for. It also tells about the commands and Report Builder setups that get you to each chart type.

Update general chart formatting options

The General chart formatting options available to you differ depending upon the type of chart you've selected. If you're working with a column, bar, line, or area chart, you can update the Stack mode. If you're working with a line or area chart, you can additionally adjust the way the chart displays Null values.

You can update the Chart title and Legend placement no matter what chart type you're working with.

Update X-axis and Y-axis formatting options

With the X-axis and Y-axis formatting option you can:

• Redefine the X- and Y-axis titles for the chart.
• Change the maximum and minimum values of the Y-axis for column, line, and area charts.
• Change the maximum and minimum values of the X-axis for bar charts.
• Turn display markers on and off for line and area charts.
• Switch the Y-axis scale from linear to log (as in "logarithmic") for column, line, area, scatter, and bubble charts (and do the same for the X-axis scale of bar charts).

You may decide you want to adjust the maximum and minimum values of the Y-axis (or X-axis, for bar charts) to focus on the differences between an otherwise fairly similar group of results.

For example, say you're looking at a column chart where all of the Y-axis values are between 114 and 145. You can set the minimum Y-axis value to 110, and the maximum Y-axis value to 150. This creates a chart that focuses the viewer's attention on the differences between each column while leaving out the nonessential similarities.

Similarly, putting the chart on a logarithmic scale can be handy for situations where values have wide variances. For example, you might have a column chart where most of the values come between 10 and 50, but a handful are as high as 1000. You can use the logarithmic scale to better see the differences between the lower values.