• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Saving commands
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run

Examples of useful reports

This section shows you some reports you can execute using data from the sampledata and _internal default indexes. Paste any of these reports into the search bar in Splunk Web to see it in action (unless otherwise noted). Some of the examples require you to substitute your own data to see meaningful results. If noted, some examples require you to install certain applications.

Note: Extract fields from search results to create reports using interactive field extraction in Splunk Web, or with the rex command in a search.

Internal Splunk log data

Create reports on Splunk internal data. Report on things like indexing performance and the CPU utilization of Splunk processes.

Indexing performance

See the indexing kps (indexing thruput):

index=_internal "group=thruput" | timechart avg(instantaneous_kbps)

Plot the average eps and kps by time:

index=_internal "group=thruput" | timechart avg(instantaneous_eps) avg(instantaneous_kbps)

CPU utilization of Splunk processes

See the CPU utilization of Splunk processes in a bar chart sorted in descending order:

index=_internal "group=pipeline" | stats sum(cpu_seconds) by processor | sort sum(cpu_seconds) desc

System monitoring data

Create reports on data from your system monitoring utilities with the Splunk for UNIX application. You must install Splunk for UNIX to run these reports. These samples illustrate what some of the system monitoring reports look like.

Download and install Splunk for UNIX from SplunkBase. Splunk for UNIX configures Splunk to index UNIX system monitoring utility data.

See the % CPU usage over time:

index=monitoring source=ps | multikv | timechart avg(CPU) by COMMAND

See the % CPU for processes that contain the word "splunkd":

index=monitoring source=ps | multikv filter splunkd | timechart avg(CPU) by COMMAND

See the % CPU used per user:

index=monitoring source=ps | multikv | timechart avg(CPU) by USER

Web access data

Create reports on your web access data with these examples, or use the Splunk for Web Access application. Download and install Splunk for Web Access from SplunkBase. The Splunk for Web Access application has a large number of saved reports that you can run on your Web access data.

The following examples illustrate some of the kinds of reports you can run on Web access data with Splunk.

See the top Web clients used:

index=sampledata sourcetype=access* | top limit=100 clientip

See a chart of data transferred (in bytes) by time:

index=sampledata sourcetype=access* | timechart sum(bytes)

Web traffic stats

Here are some examples of Web traffic reports you can create.

Note: You must extract fields for the clientip and referer data from your search results to run these reports.

See the number of unique visitors by hour of the day:

index=sampledata sourcetype=access* | dc(clientip) by date.hour

See the top traffic peak hours of a day:

index=sampledata sourcetype=access* | top date.hour

See the number of unique visitors by day of week:

index=sampledata sourcetype=access* | dc(clientip) by date.wday

See the top traffic peak days of a week:

index=sampledata sourcetype=access* | top date.wday

See the top visits by referrer:

index=sampledata sourcetype=access* | top referrer

Web application data

Create reports from data of Web applications.

See the top Web applications and their violations from a log:
(This example assumes you have the web_app and violation fields extracted.)

sourcetype="webbapp" | top web_app violation

See the top Web applications and the top 3 violations for each application (using the sort command at the end to optionally sort the results):

sourcetype="webbapp" | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_app

See the top Web applications and the top 3 violations for each application, and restrict the search to only include the top 10 Web applications (using the subsearch to pre-filter the results).

sourcetype="webbapp" [search <data source> | top 10 web_app | fields + web_app] | stats count by web_app violation | sort - count | dedup 3 web_app | sort web_app

Firewall (or connection) activity

Create reports on the connection activity of your server or firewall. You can report on any type of activity: # of connections, # of accepts, # of denies, bytes transferred.

See the top port activity:

index=sampledata | top port

See the top activity of a source host ID:

index=sampledata | top SourceId

See the most active destination ports:

index=sampledata | top limit=100 dst_port

See the ports with the top number of denials:

index=sampledata action=Deny | top src_port

Email activity or email transactions

Create reports of email activity by applying these examples to your own email data.

Note: These examples use the rex command to extract the fields on which to report. You can also extract fields by configuring field extraction at index time.

Note: The sampledata index doesn't contain email data used to demonstrate these reports. To try these, supply email data from your own sources and tailor these examples to try these reports.

See the top senders:

sourcetype=*mail* | rex field=_raw "from: (?<from>.*)" | top from

See the unique number of recipients to whom a sender sent messages:

sourcetype=*mail* | rex field=_raw "from: (?<from>.*) to:(?<to>.*)" | stats dc(to) by from

See the top recipients of messages:

sourcetype=*mail* | rex field=_raw "from: (?<to>.*)" | top to

Transaction data

For example, let's say that you have a set of purchase transaction data that looks like this:

1216725748296,I,toystore,S,1
1216725748396,I,toystore,S,1
1216725748497,E,toystore,S,30
1216725748598,E,toystore,S,40
1216725748698,I,toystore,S,1
1216725754024,I,toystore,S,2
1216725754126,I,toywarehouse,S,2

Now, let's assume that you configure Splunk to extract the following fields from this comma-delimited data:

• The timestamp in milliseconds since Jan 1, 1970 epoch.
• A character code indicating logger priority (I = info, E = error).
• The supplier name.
• A character code indicating business stage (S = customer is searching).
• A numerical event code indicating the outcome of the process.

With these fields, you can generate the following reports:

See a table showing the count of each supplier by logger code (priority):

* | chart count by supplier, priority

See a table showing the count of each supplier by logger code (priority). Also, rename the priority=I as successCount, and priority=E as failCount, then fill the empty values with 0:

* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0

See a table showing the count of each supplier by logger code with the sum of successCount and failCount as totalCount (in a 3rd column):

* | chart count by supplier, priority | rename I as successCount, E as failCount | fillnull value=0 | eval totalCount = successCount + failCount