Splunk Reports And Dashboards For Beginners

So, you’re new to Splunk. You have your data ingested up and running and you’re familiar with Splunk’s Search Processing Language (SPL for short). But now you’re wondering how to go from the massive sandbox that is the Splunk platform, to a tailored experience that gets you custom dashboards and reports.

We’ve got you covered with a complete beginner’s guide to reports and dashboards.  With these staple Splunk tools, you’ll be able to turn data into intelligence and intelligence into action! 

Let’s get started with the basics.

How to Create a Report in Splunk

Scenario: A client wants to find the total number of successful purchases on their online store. They want to see how individual categories and products are selling.

Step 1: Start your search in the search and reporting app.

In this example, we’re opting to rename the counts so that “Total Purchases” is at the top of our results.

index=”splunk_test” sourcetype=”access_combined_wcookie” status=200 action=purchase

|stats count by productId, categoryId product_name

|rename count as “Total Purchases” productId as “Product ID” category Id as “Product Category” product_name as “Product Name”

|sort – “Total Purchases”

How to Create a Report in Splunk

Step 2: Save your report.

Select “Save As” then select “Report”.

Include your title, description, content type, and whether you’d like to include a  time range picker.

Select “Save”.

How to Save Your Report in Splunk

From here, you can “View” your dashboard and run it during your desired time period.

How to View Your Report in Splunk

 

How To Add a Splunk Report to a Dashboard

A dashboard is a collection of searches that you can view all at once. You can use dashboards to get greater insight into your data. For example, if you want a dashboard of all your sales reports, you can create that by adding each report visualization to a dashboard.

Method 1: Use the “Add to Dashboard” Button on the reports page.

How to Add a Splunk Report to Your Dashboard

Method 2: Use the “Save as New/Existing Dashboard” option on the search page.

No matter which method you choose to create your dashboard, the following steps will be the same.

New call-to-action

Step 1: Configure your dashboard.

Add your dashboard title, dashboard ID, description, and permissions. Then choose whether you want to use classic or dashboard studio to build your dashboard. Finally, select your panel title, and visualization type, then save your dashboard.

Step 2: Edit your dashboard.

You can choose from a number of options like editing the UI and source code of your dashboard or adding panels and inputs. Change the theme from light to dark if that’s your preferred style, and your dashboard is ready.

How to Edit Your Dashboard in Splunk

 

Splunk Reports and Dashboards Best Practices

 

1. Practice Makes Perfect

Your dashboard is extremely malleable, so take your time crafting it. You can start with simple visualizations for the time being and optimize them later using the “open search” button or “change visualization” button.

2. Save Often

This simple, yet often overlooked step can save you a lot of headaches down the road. If you leave the dashboard mid-edit, your work won’t be saved, so be sure to hit the save button before you go.

If you found this helpful…

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action

How to Use TOP and RARE Commands In Splunk

 

I get it, SPL is a very wide language. It has many commands, arguments, and functions that are difficult to remember when you need them most. But what if I told you there were a couple of commands that could do the heavy lifting for you?

They’re called TOP Commands, and in this post, I’ll break down what each one is and how to use them. But first, what exactly is a TOP command?

What is a TOP command?

TOP is a Splunk command that allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.
Try Atlas Free for 30 Days

How to Use a TOP Command

There are two ways to use the TOP Command: Using the search bar or using interesting fields.

TOP Command Using the Search Bar

Let’s use this SPL search query as an example:

index=main| stats count as count by user | sort – count | head 10

Step 1: Set the time parameters of your search.

Splunk Pro Tip: We do not recommend using “all time” as this is not a best practice when creating queries in Splunk. Instead, narrow down your search to the most relevant time frame. We use “all time” here for example purposes as this is test data.

Step 2: Type the TOP command you want to use.

For this example, we’re using |top categoriesId to see the top categories within our environment. By default, the TOP command will return the top 10 results in the query.

Step 3: Refine your search.

You can refine the results of your query with two other commands: limit and shoperc.

Limit Command
|top categoriesId limit=5

The limit command will limit your top results to the first five.

Percentage Command
|top categoriesId limit=5 shoperc=f

The shoperc command is set to true by default which means that the limit command will always show what percentage each field represents in your Splunk environment. If you don’t need this information and want to clean up your query, you can remove it by adding the shoperc=f or shoperc=false command.

To add the percentage column back in, simply change the command to |top categoriesId limit=5 shoperc=t or shoperc=true.

TOP Command Using Interesting Fields

Step 1: Select an interesting field from the column on the left.

We chose categoriyId for this example.

Step 2: Select “Top values.”

Step 3: Review your Top command in the search bar.

In the search bar, you’ll see the TOP command has been created for you — this time with a pre-populated limit of 20.

Doing the TOP command this way also shows you a visualization of the data, but you can switch back to the table view by selecting “Statistics.”

What is a Rare Command?

Rare is a Splunk command that allows you to easily find the least common values in fields. Just like the TOP command, the rare command will also help you find information behind your event values like count and percentage of the frequency.

How to Use a Rare Command

There are two ways to use the rare Command: Using the search bar or using interesting fields.

Rare Command Using the Search Bar

Let’s use this SPL search query as an example:

index=main| stats count as count by user | sort – count | head 10

Step 1: Set the time parameters of your search.

Step 2: Type the rare command you want to use.

Rare commands follow this syntax:

|rare <options> field <by-clause>

For this example, we’re using |rare categoriesId to see the top categories within our environment. By default, the rare command will return the least common results in ascending order.

Step 3: Refine your search.

You can refine the results of your query with two other commands: limit and shoperc.

Limit Command
|rare categoriesId limit=3

The limit command will limit your top results to the first three.

Percentage Command
|rare categoriesId limit=3 shoperc=f

The shoperc command is set to true by default which means that the limit command will always show what percentage each field represents in your Splunk environment. If you don’t need this information and want to clean up your query, you can remove it by adding the shoperc=f or shoperc=false command.

To add the percentage column back in, simply change the command to |rare categoriesId limit=3 shoperc=t or shoperc=true.

New call-to-action

Rare Command Using Interesting Fields

Step 1: Select an interesting field from the column on the left.

We chose categoriyId for this example.

Step 2: Select “Rare values.”

Step 3: Review your rare command in the search bar.

In the search bar, you’ll see the rare command has been created for you — this time with a pre-populated limit of 20.

Doing the rare command this way also shows you a visualization of the data, but you can switch back to the table view by selecting “Statistics.”

TOP Command and Rare Command Syntax

Top commands use this syntax:

|top <options> field <by-clause>

And rare commands use this syntax:

|rare <options> field <by-clause>

In both commands, the <options> and <by-clause> are optional and can be used with the limit and shoperc commands. Here’s an example of how you could use this syntax:

|top <categoryId> by <action>

This command is telling Splunk to find the top results in the cateogiryId field and sort them by the most common action that the user took.

If you found this helpful…

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action

How to Create a Pivot Dashboard in Splunk

how to manage splunk apps and users

Pivots are the perfect way to build personal a dashboard in Splunk without creating search queries manually. Whether you’re a beginner or an expert, learning how to build a Pivot dashboard can save you a ton of time (and headaches) when pulling data from your Splunk environment.  

Here’s a crash course on everything you’ll need to know about Pivots in Splunk. 

What is Pivot in Splunk? 

A Pivot is a dashboard panel in Splunk. The goal of Pivots is to make searching easier in Splunk by using existing data sets instead of SPL queries to populate the Pivot. 

Do I need to know SPL to build a Pivot or dashboard in Splunk? 

No, you don’t have to know SPL to build a Pivot dashboard in Splunk. By using data models and data sets, you can build a robust Pivot dashboard without using SPL or running queries manually. 

Who can build Pivots in Splunk? 

Anyone who uses Splunk to understand that data in their organization can build a Pivot dashboard in Splunk. Because it doesn’t require any SPL knowledge, anyone from a summer intern to the VP of Technology can build their own Pivot dashboards in Splunk. 

How to Create a Pivot in Splunk 

The drag and drop UI of Pivots makes it easy to build a Pivot dashboard in Splunk.  

Step 1: Create a New Data Model or Use an Existing Data Model 

To begin building a Pivot dashboard, you’ll need to start with an existing data model. If you don’t have an existing data model, you’ll want to create one before moving through the rest of this tutorial. 

Go to data models by navigating to Settings > Data Models. 

For this example, we’re using the standard data model Internal Audit Logs, but you can choose any data model in your environment. 

Splunk Tip: When your Splunk environment was created, it automatically came with the Internal Audit Logs data model. This data model includes all of your internal audit log data, so you can be sure that the Pivot table you’re creating will reflect real and accurate data. 

Step 2: Select Pivot 

In the top right corner of the screen select Pivot. 

Once you open your data model and select Pivot, you’ll see at least one (but likely more) data sets in the model. 

Step 3: Review the Data for Your Pivot 

It’s important to click on each data set and review the fields within it in order to find the data you want to include in your Pivot table. Once you find your desired fields, click on the name of the data set again to open your new Pivot.  

New call-to-action

Step 4: Build Your Pivot 

Building your Pivot is both an art and a science. Here are the overarching elements you can manipulate to build your Pivot table. Play around here and see what data populates. Keep what you like, and remove what you don’t. 

  • Filter Your Data: You should filter your data so that it pulls information from the right time period. To do this click Filters and choose from Real Time, Relative, or All Time. In this example, we’re choosing a Relative time filter of Last 7 Days. 
  • Check the Count of Audit: After filtering your data, you’ll see how many audited events happened in the time frame you selected. In our case, we see 1,247 audits in the last 7 days. If you’re seeing zero audits, double-check that the data set you’re using actually has data, or try refiltering your data using a larger time frame. 
  • Add Fields to Your Pivot: Select Split Rows to reveal a dropdown of all the fields available in the rows of your Pivot. To start, we’re choosing the Action field. This will show us all the actions that happened in our audit and how many of each action occurred. You can continue to add rows to your Pivot for more details about the data. 
  • Add Fields to Your Pivot: Select Split Columns to reveal a dropdown of all the fields available in the columns of your Pivot. In this example, we’re choosing the Host field. This will show us all the hosts for each action in our audit. You can continue to add columns to your Pivot for more details about the data. 

Splunk Tip: The smaller and less complex your data set, the fewer fields you’ll have to choose from when splitting rows and columns. Don’t get discouraged if you have only a couple of fields to include in your Pivot. If there are additional fields you’d like to pull into your Pivot in the future, you can work with your Splunk team or ask the experts at Kinney Group to help you set them up. 

  • Add Visualizations: Although the default for building a Pivot in Splunk is to use a table, you can change the visualizations to display your data in different ways. On the right-hand side of your screen, you’ll see a vertical list of icons, each of which will display your data in a different graph or chart. In this example, we’re using the line graph visualization represented by the line graph icon. With any visualization, you can adjust the X-axis, y-axis, color, and other properties of your graph or chart. 

Splunk Tip: Visualizations represent what your data will look like in the finished Pivot dashboard. If you don’t choose a visualization, you’ll simply see the table and raw data in your Pivot. This makes it hard to see your data at a glance which is the point of building the Pivot dashboard. We highly recommend you choose a visualization for your data so that it reflects the information you want to see in your finished Pivot in an accurate and appealing way.  

Step 5: Save Your Pivot 

In the top right of the screen, select Save As > Dashboard Panel. 

Give your new Pivot a title and description. Then choose whether your Pivot will be private or public.  

Choose Save > View Dashboard to see your new Pivot. 

Step 6: Title your line chart.

Splunk Tip: We already named the Pivot dashboard, but you’ll still want to title your line chart so that you know what data is represented in it. As you add more visualizations of different data sets, you’ll find that naming each one makes your Pivot dashboard easier to use. 

Can Pivots be saved as reports panels in Splunk? 

Unfortunately, Pivots cannot be saved as reports panels in Splunk. If your team wants access to your Pivot dashboard for their own reporting needs, you can make the Pivot public and share it with them so they have access to it on demand. 

Key Takeaways for Creating Pivots in Splunk 

Pivots are an amazing tool for Splunk users who aren’t well-versed in SPL or building search queries. You don’t have to make decisions in the dark because you don’t understand Splunk as well as your engineers do. With Pivot dashboards, you’ll have the most important data at your fingertips when you need it, all without creating a single SPL search query. 

 If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate. 

Cue Expertise on Demand, a service that can help with those Splunk issues and improvements to scale. EOD is designed to answer your team’s daily questions and breakthrough stubborn roadblocks. Book a free consultation today, our team of experts is ready to help. 

New call-to-action