Splunk Reports Generation

In this section, we are going to learn how the report is generated in the Splunk. The generated report can be used further for the local use. We can also set it up to a custom dashboard. Here, we will look forward to changing its permission and how we can edit a report in Splunk after it has been saved. We will also learn to change the view permission of the Reports generated.

We can save it as a report when we create a quest or pivot that we wish to run again or share with others. That means we can generate reports from both the Splunk platform's Quest and Pivot sides.

Once we have produced a report, we can:

  • Look at the results the Report returns on the page viewing the Report. We can access a report's display page by clicking the Report's name on the Reports listing tab.
  • Open the Report and edit it so that different data is returned or its data displayed differently. Depending on how it was created, our Report opens in either Pivot or Search.

Besides, if our permissions enable us to do so, we can:

  • Change the Report permissions to share it with other Splunk users.
  • Schedule the Report so that it runs on a regular interval. Scheduled reports can take action every time they run, such as sending reports to a set of stakeholders via email.
  • Accelerate slow-completing reports built-in Search.
  • Embed scheduled reports on external websites.
  • Add the dashboard report to the Dashboard panel. Note: Report permissions designed through Pivot have to suit those of the data model used to create them.
  • Keep report names relatively short.

Give our Report a name that is both fairly short and special when we name our article apart from default naming. This practice can help us avoid errors that do not allow the Report to run.

Every time we run a query, the search head produces a specific Search ID (SID), based on the following combination:

  • The username of the report owner
  • The username of the person running the Report
  • The name of the app context for the Report
  • The name of the Report
  • The launch time of the Report, represented in the Unix epoch time format.
  • Include the host name and GUID of the search head that the Report is running on.
  • In Base64, encrypt the usernames and device names to ensure that unique or harmful characters are not contained in the name of the directory. Base64 encoding length is proportional to the original string length. It is not a conversion from character to character.

The search head then creates a dispatch directory for the Report under $SPLUNK_HOME/var/run/splunk/dispatch/ that uses the Search ID as its name.

Linux filesystems can accept only a maximum of 255 characters. The dispatch directory can not be created if the full file path for the dispatch directory is more than 255 characters.

Keep our report names relatively short to prevent that from happening. If we have the Admin role, or our role has admin-level capabilities, there are other things we can do to avoid this situation, such as keeping host names, usernames, and app names for short search heads.

Manually create a report in Splunk Web

We can create reports via Splunk Web four ways:

  • From Search, by saving a search as a report.
  • From Pivot, by saving a pivot as a report.
  • By selecting Settings > Searches, reports, and alerts and clicking New Report to add a new report.
  • From a dashboard, by converting an inline-search-powered dashboard panel to a report.

Save a search or pivot as a report from the Search or Pivot views

We can save this as a report when designing a search or pivot that returns useful results. The Report maintains any formatting we set up for the original quest, including options for showing the map visualizations and the event list.

Note: We can save a search as a report only when it is running, pausing, finalizing, or completing. Run a search or design a pivot that is worth saving as a report.

  1. Click Save As, and choose Report. To save as a report, the Search or swivel. The Report maintains any formatting we set up for the original quest, including options for showing the map visualizations and the event list.
  2. Provide a unique Report Title. Supported title characters are a-z, A-Z, 0-9.
  3. Provide a summary or description. It is optional.
  4. Add a picker with a time range to the Report. A time range picker allows users to re-run the Report over a specific time period without directly editing it without written permission.

If we do not provide a picker for the time range, the Report will always run over the same time range as the original Search. To change the time range, a user with the Report's editing permissions must open the Report in Search, update its time range, and save that edit.

For scheduled reports, the time range picker option is not available, which always displays the results returned by their last scheduled run. If we plan a report with a picker in the time range, the selector in the time range will disappear.

  1. Click Save to save the search as a report.

When we save a search as a report, we can:

  • View or run the Report and see results it returns on the Report viewing page.
  • Share our Report with others by changing its permissions.
  • Arrange to have the Report run on a schedule.
  • Accelerate the Report, so that it completes faster when it is run again.
  • Embed the Report on an external website. Only scheduled reports can be embedded.
  • Continue editing the Report.
  • Add the Report to a dashboard.





  • Latest Courses