Report with Splunk

Transcript

Reporting
Vi Ly
Introduction

Hi, I'm, Vi Ly, a Senior Sales engineer at Splunk. I started at Splunk a year ago, and I am available, along with my fellow sales engineers, to support you, or anyone installing, configuring, or tuning Splunk. Today, I'd like to show you how quick and easy it is to create reports in splunk, with the built in reporting engine. It allows you to visualize any search as a report.


Overview Demo

Let's take a look at how easy it is to turn any of your Splunk searches into really cool interactive reports! You're really going to like the variety of charting options and the simplicity of sharing reports with all your friends in operations, security, compliance and even those guys in management.

Say you're responsible for a web application, and concerned about bandwidth utilization. Start with a simple search for all of your web access logs.

Now click report on results to report on your search results.

Splunk automatically extracts and names fields from your search results. To pick the fields you want to report on just select the field names from the list. Click on the bytes field to see how many bytes are being transferred for web requests. This creates a new series for your report. You can add multiple series by holding down the command key and clicking on additional fields in the list.

Now pick the statistics you want for the bytes field series. You select sum because you want the sum of bytes from all your search results.

Okay, now choose how you want the series displayed in your report. Click on line graph from the menu to chart the series over time as a line graph.

You've got the total bandwidth for your web application trended by time. You can split your series by file to check out which specific web transactions are using the most bandwidth.

When you discover a useful report you can save it and add it to a dashboard. Select save from the search menu and type in the name for your report. Now choose the dashboard you want to add the report to. Pretty cool. Now it's always around for quick reference and troubleshooting!

Here's another great report you'll like. Your server is really slow and you need to figure out what's going on. You're indexing the output of a ps status command and it's a piece of cake to figure out what processes are eating your CPU at any point in time. Splunk is a time machine for your servers.

If you like this report you can save it, run it on a schedule and deliver it via email to any number of recipients. Let's set it up to email you and your team every hour so you can all watch what's going on.

Splunk reports are great for troubleshooting but you can also use reports to mine your IT data for business intelligence. Look how easy it is to create a report of what products sold in your online pet store during the last hour.

The seamless integration of search and report is flexible and powerful. (pause) With just a few clicks you can visualize your search results, drill down on statistics and share information with your team. (pause) There's no database schema to manage or limits on the fields you can use and adapting to new and changing data from any application, server or network device is painless. (pause) Thanks for watching; download Splunk today, and go home early.


Report Tips and Tricks

Now I want to show you some tips and tricks for customizing your reports in Splunk. With a few easy steps, you can change the default rendering of any report. Let's use the example of charting page hits on the web application for your online pet store. We'll start with a simple search of the web access logs. From this search, create a basic report of the number of page hits over the last 60 minutes, segmented by product ID.

In the report legend, notice there is a null field value. This value is an automatic placeholder created by Splunk for any empty field values. The null field is not very interesting in this case, but it occupies a large area of each report column. Click on "chart options" and choose "suppress null" to remove the null field and present a more concise list of product ID values.

By default, Splunk has segmented this time chart into one-minute intervals for the 60-minute time range. To change this, add a span parameter after the time chart command in the search. Let's increase the interval to five minutes. You can use "M" for minutes, "S" for seconds, "H" for hours and "D" for days.

Lastly, the product IDs are not very user-friendly. This can be changed on the fly without affecting the original data set or making code changes to the web application. You can re-label any field values to something more descriptive using the "rename" command.

Congratulations. Now you have three more tools in your bat belt for refining and re-polishing Splunk reports.


Conclusion

There you have it, reporting with Splunk. There's a lot we didn't cover today, but please download Splunk and take a look at it. It's free for download at Splunk.com. Let us know if you have any questions.