Scribd
Upload
264 views5 pages

Module 10 Lab Exercise - Creating Reports and Dashboards: Description

The document describes creating reports and dashboards in Splunk. It provides steps to save a search as a report, create a report using fields and views, and build a dashboard with multiple report panels.

Uploaded by

rohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
264 views5 pages

Module 10 Lab Exercise - Creating Reports and Dashboards: Description

The document describes creating reports and dashboards in Splunk. It provides steps to save a search as a report, create a report using fields and views, and build a dashboard with multiple report panels.

Uploaded by

rohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Module 10 Lab Exercise – Creating Reports and Dashboards

Description
You will save a search as a report, create a report from the Fields sidebar, and examine it in the Statistics
and Visualization tabs. You will also build some dashboards to display these reports.

Steps
Task 1: Save a search as a report.

1. Navigate to the Search & Reporting app Search view.


2. Search for index=security sourcetype=linux_secure password fail* root over the
last 24 hours.
3. From the Save As menu (located above the time picker), select Report.
4. Name the report analyst_report_FailedRootLoginsLast24Hours.
5. Leave the default Yes for the time range picker option, and then click Save.
6. In the Your Report Has Been Created dialog, click View.

7. Click Reports in the app navigation bar. You can see the reports to which you have access. (You can
re-execute a report by clicking the title or view the search by clicking Open In Search.)

Task 2: Create a report using the Fields sidebar and view it on the Statistics and Visualization
tabs.

8. In the app navigation bar, click Search to start a new search.


9. Search for index=web sourcetype=access_combined status>=400 AND status<=600
(action=purchase OR action=addtocart) over the Last 7 days.
10. In the Fields sidebar, under Selected Fields, click the host field.
11. Select the Report: Top values by time. A line chart displays on the Visualization tab.
12. If a line chart does not appear, then select it. You can do this by clicking the name of the current
visualization in the upper left corner of the chart; the Visualization dialog appears as shown below.
When you hover over a formatting icon, the icon name appears towards the bottom of the dialog.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 May 25, 2018 24
13. Look at the search string. Notice the timechart command was added to the search automatically.
The command transformed the results into a data structure required for visualizations.
14. Click the Statistics tab to see another view of your results.
15. Click the Visualization tab to return to the line chart.
16. Select Save As > Report.
17. In the Save As Report dialog, for the Title, enter analyst_report_IncompleteSalesLast7Days.
18. Leave the other settings at their defaults values, and click Save to save the report.
19. Click View to display the report.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 May 25, 2018 25
OPTIONAL (Steps 20 – 27)
20. Go to the Search view of the Search & Reporting app. Use the > Search History link to expand
your search history and go back to the status>=400 AND status<=600 (action=purchase
OR action=addtocart) search.
21. Run the search over Last 24 hours.
22. In the fields sidebar, click status. (If status does not appear under Selected Fields, look under
Interesting Fields.)
23. Examine the status values. Is there a type of error that is significantly more common than others?
(The result will vary based on when you run your search. Example answer: 503.)
24. Click Top values by time.
25. If a line chart does not appear, then select it. (If you don’t remember how, review Step 12.)
26. Examine the chart for spikes you may want to explore in more depth. If you see a spike, click on it.
27. Splunk will return to the Events tab with your search zoomed in on - just the errors for the status and
the point in time you clicked on the chart. Now you can examine events for a spike at a specific time.

Task 3: Add your report to a dashboard.

28. Navigate to the Search view.


29. In the app navigation bar, click Reports. On the Reports screen, click Yours. Select the report you
created earlier, analyst_report_IncompleteSalesLast7Days.
30. Click Add to Dashboard (in the upper right corner of the browser.)
31. Leave the default setting for the Dashboard field at New. In the Dashboard Title field, type:
Ops Dashboard
32. In the Panel Title field, enter a name for your panel: Incomplete Sales - Last 7 Days and click Save.
33. In the confirmation dialog, click View Dashboard to display the dashboard you created.

34. Click the Edit button.

NOTE: While in edit mode, you can add panels or modify existing panels.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 May 25, 2018 26
35. In the Incomplete Sales – Last 7 Days panel, click the second of the four upper right corner icons

. Experiment with other visualization types by clicking their names. When you are finished

experimenting, click to return to the Line Chart visualization.

Task 4: Add a panel to the dashboard from a report.

36. Click the +Add Panel button, and then click New from Report.
37. Under New from Report, click the report you created earlier,
analyst_report_FailedRootLoginsLast24Hours.

NOTE: You may have to hover your cursor over the report icons in the list in order to see the full names
of the reports.

38. Click Add to Dashboard and click X to close the Add Panel dialog.
39. In the Panel Title field for the new panel (where it currently reads “No title” in grey), enter a name for
the new panel: Failed Logins for Root – Last 24 Hours.
40. Remove the prefilled subtitle for the panel (analyst_report_FailedRootLoginsLast24Hours) by
clicking in the Panel Subtitle field and deleting the text.
41. When done, click anywhere outside the title box. Your title boxes should no longer be editable.
42. Click the dotted bar at the top of the Failed Logins for Root panel and drag to position it to the right
of the top panel. The panels should display side-by-side.
43. Click Save.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 May 25, 2018 27
OPTIONAL (Steps 44 – 52)
44. On the app navigation bar, click Dashboards.
45. For the Ops Dashboard, in the Actions column, click Edit > Edit Panels.

46. On the Incomplete Sales – Last 7 Days panel, explore the options under the paintbrush icon, .
For example, try substituting a Custom Title for the X-Axis.
47. Enable the drilldown feature on the Incomplete Sales – Last 7 Days panel by clicking the three

vertical dots in the upper right corner of the panel, clicking Edit Drilldown, and changing the On
Click option to Link to search.
48. Click Apply to apply the change, then click Save to save the dashboard.
49. Click on the panel for which you enabled the drilldown feature to test whether it drills down to the
underlying search.
50. Return to the dashboard by clicking the back button on your browser.
51. Click the Edit button and try modifying some of the other settings on your panels. For example, try
rotating the axis labels or exploring the legend display options.
52. When done, return to the Search view.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 May 25, 2018 28

You might also like