• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Form searches
    • Macro searches
    • Transactions
    • Live tail
    • Save and schedule searches
    • Asynchronous searches
    • CLI searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Useful transactions
    • The transaction command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
  • Tag fields (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
  • Tag using search commands
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Pick different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule the search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tags
    • tagset
    • tagcreate
    • tagdelete
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq
• CLI command reference
  • Command Line Interface (CLI) commands
    • Syntax
    • Command list

Reports

Splunk allows you to summarize the results of any search as a report in a separate window.

You can access the reports window in three ways:

1. After running a search, click Report on results >> located below the search bar.

2. Select Report on this field >> from any interactive field filter menu.

3. Pipe your search results into a report command, such as stats, top, and rare.

We'll cover pipes and other commands in More searches.

Report on results

Let's build a report for all firewall deny events in sampledata:

1. Search for all firewall deny events in sampledata.

2. After the results load, click Report on results >> above the timeline options. This takes you to a separate window where you can build your report.

Notice that:

• You can enter new search strings from the search bar at the top of the window.
• Splunk identifies fields from your search results and lists the field names in the Fields panel.

3. Select dst from the Fields list.

Splunk updates your search string to:

The report displays:

• A chart graphing the results (the top 100 values of dst).
• A summary of the count and events matching your search.

Notice that the options in the Series panel defines the data series for your chart. You can also choose a different chart to display your results.

Let's tune this search to report only the top 10 dst values of firewall deny events and display the series in a pie graph.

4. In the search bar, change the limit boundary to 10 and enter the search:

5. In the series panel, select display as "pie graph".

5. When you mouseover each wedge of the pie graph, an information box appears.
The box lists the dst value and event count. If you click on the wedge, Splunk takes you back to the search results and updates your search string to include the specific field name and value you selected from the chart. Try it out!

Report on fields

Return to the search window and search for all firewall deny events in sampledata.

To report on fields:

1. Click on the Fields... menu.

2. From the list, check and apply src.

3. From the src filter menu, choose Report on this field >>.

Splunk takes you to the report window and updates your search string:

Now, you can modify your report settings.

Build new reports

From the reports window, you can also enter a new search and build new reports.

1. Search for all "access_common" data in sampledata.

2. From the resulting list of Fields, select bytes.

3. Under Series, define your data series to "show the sum of bytes vs. time split by action":

You can define a custom time range for your chart. Here, it's zoomed in to a day of data.

Note: The chart updates as you define your series.

Pick different charts

Change chart styles by selecting a type from the display as drop-down menu above the current chart. Choose from the following chart types:

• column
• line
• area
• scatter
• stacked column
• stacked area
• pie
• donut
• bubble
• heatmap

See a sample of these charts in the report gallery on our website.

Add a report to your dashboard

You can save a report just as you would any other search. When you save the search, add it to your default dashboard by checking the box at the bottom of the save dialog.

You'll see the report on the dashboard after clicking the logo to return to the home page. Dashboard searches are refreshed every tenth of the time interval (for example, a 4 hour search every 24 minutes) or every hour, whichever is shorter.

You can read more about saving searches to the dashboard in Manage saved searches.

Note: You won't see your report on your dashboard if you haven't loaded any data to your main index yet. As soon as you have data in your main index, the "getting started" links are replaced with a default dashboard including modules that are predefined in the product, plus additional searches and reports you've added.