• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Taking snapshots
    • Customize SplunkWeb
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command

Reporting

Splunk lets you summarize the results of any search as a report, which can include both a chart and a table of results.

Let's start with a search for some firewall deny events.

index::sampledata deny

Report on a field

Open up the fields... menu and select all available extracted fields. You'll see that Splunk has done a good job of figuring out all the fields in the well-structured Netscreen firewall log format.

Once all of your fields are showing, use the filter dropdown on the field src and click the Report on this field link.

You are taken to the Report tab and Splunk shows you the count and percent of events matching your search along with a bar chart graphing the results. Note how Splunk has changed your search to:

index::sampledata deny | top src

We'll cover pipes and operators later in this tutorial.

Build a new report

You can also build a new report within the report tab. To do this, search for all of the access_common data in the sample index:

index::sampledata sourcetype::access_common

Select the field byte from the fields menu to the left.

In the parameters section enter "Show sum of byte vs time split by action." Then click Apply.

Pick a different chart

Change chart styles by selecting a type from the display as drop-down menu above the current chart.

The types of charts that are available:

• column
• line
• area
• scatter
• stacked column
• stacked area
• pie
• donut
• bubble
• heatmap

To see a gallery of samples of some of these charts see the report gallery on our website.

You'll notice that the portfolio action has the largest spikes.

Add it to your dashboard

You can save a search from report mode just as you would any other search. When you save the search, add it to your default dashboard by checking the box at the bottom of the save dialog.

You'll see the report on the dashboard after clicking the logo to return to the home page. Dashboard searches are refreshed every tenth of the time interval (for example, a 4 hour search every 24 minutes) or every hour, whichever is shorter.

Note: You won't see your report on your dashboard if you haven't loaded any data to your main index yet. As soon as you have data in your main index, the "getting started" links are replaced with a default dashboard including modules that are predefined in the product, plus additional searches and reports you've added.