Splunk Reports Generation
In this section, we are going to learn how the report is generated in the Splunk. The generated report can be used further for the local use. We can also set it up to a custom dashboard. Here, we will look forward to changing its permission and how we can edit a report in Splunk after it has been saved. We will also learn to change the view permission of the Reports generated.
We can save it as a report when we create a quest or pivot that we wish to run again or share with others. That means we can generate reports from both the Splunk platform's Quest and Pivot sides.
Once we have produced a report, we can:
Besides, if our permissions enable us to do so, we can:
Give our Report a name that is both fairly short and special when we name our article apart from default naming. This practice can help us avoid errors that do not allow the Report to run.
Every time we run a query, the search head produces a specific Search ID (SID), based on the following combination:
The search head then creates a dispatch directory for the Report under $SPLUNK_HOME/var/run/splunk/dispatch/ that uses the Search ID as its name.
Linux filesystems can accept only a maximum of 255 characters. The dispatch directory can not be created if the full file path for the dispatch directory is more than 255 characters.
Keep our report names relatively short to prevent that from happening. If we have the Admin role, or our role has admin-level capabilities, there are other things we can do to avoid this situation, such as keeping host names, usernames, and app names for short search heads.
Manually create a report in Splunk Web
We can create reports via Splunk Web four ways:
Save a search or pivot as a report from the Search or Pivot views
We can save this as a report when designing a search or pivot that returns useful results. The Report maintains any formatting we set up for the original quest, including options for showing the map visualizations and the event list.
Note: We can save a search as a report only when it is running, pausing, finalizing, or completing. Run a search or design a pivot that is worth saving as a report.
If we do not provide a picker for the time range, the Report will always run over the same time range as the original Search. To change the time range, a user with the Report's editing permissions must open the Report in Search, update its time range, and save that edit.
For scheduled reports, the time range picker option is not available, which always displays the results returned by their last scheduled run. If we plan a report with a picker in the time range, the selector in the time range will disappear.
When we save a search as a report, we can: