SPLK-1001 Creating Reports and Dashboards

Creating Reports and Dashboards Detailed Explanation

6.1 Reports

1. Definition

• A report in Splunk is a saved search that you can reuse, schedule, or share with others.
• Reports can include:
  • Raw search results.
  • Statistical summaries: Such as counts, averages, or sums.
  • Visualizations: Charts, graphs, or tables.

Why Use Reports?

• Avoid rewriting frequently used searches.
• Automate recurring tasks by scheduling reports.
• Share insights with your team through email or exportable formats like CSV.

2. Creating a Report

Creating a report is a simple process:

1. Run a Search:

   • First, write and execute the search query.

   • Example:

     index=main error | stats count by host
     

2. Save the Search as a Report:

   • Click the "Save As" button above the search results.
   • Select "Report" from the dropdown.

3. Provide Details:

   • Name: Give the report a descriptive name (e.g., "Error Counts by Host").
   • Description (optional): Add details about the report’s purpose.
   • Permissions:
     • Private: Only you can access the report.
     • Shared: Other users or roles can view or edit the report.

4. Save the Report:

   • Once details are filled in, click Save. The report will now appear in the Reports menu.

3. Customizing Reports

After creating a report, you can enhance it with visualizations and filters.

Adding Visualizations

1. Choose a Chart Type:

   • Splunk offers several options, including:

     • Bar Chart: Compare categories (e.g., errors by host).
     • Line Chart: Show trends over time.
     • Pie Chart: Display proportions (e.g., error types as percentages).

   • Example:

     • Query:

       index=main | stats count by error_type
       

       • Visualization: A pie chart showing the proportion of each error type.

2. Adjust Settings:

   • Customize axes, colors, or labels using the Visualization Editor.

Defining Filters and Sorting

• Use dropdowns, date pickers, or search boxes to allow users to filter report data.
• Sort data in ascending or descending order to highlight key trends.

4. Scheduling Reports

Why Schedule Reports?

• Automate repetitive tasks.
• Ensure timely delivery of insights without manual effort.

Steps to Schedule a Report

1. Open an existing report or create a new one.
2. Click the "Edit Schedule" button.
3. Define the schedule:
   • Frequency: Daily, weekly, monthly, etc.
   • Time: Specify when the report should run.
4. Choose Delivery Options:
   • Email: Send results to one or more recipients.
   • Save as File: Save results in formats like CSV for external use.
5. Save the Schedule:
   • Splunk will now automatically run the report at the specified intervals.

Customizing Report Permissions

• Why Customize Permissions?
  • Ensure the right people have access to the information while maintaining data security.
• Steps to Set Permissions:
  1. Open the Reports menu in Splunk.
  2. Find the report you want to edit and click Edit Permissions.
  3. Choose the appropriate visibility:
     • Private: Accessible only to you.
     • App: Shared with users of a specific Splunk app.
     • Specific Roles: Assign viewing or editing rights to user roles (e.g., admins, analysts).

Report Export Options

• Exporting allows you to share data in different formats for external use.
• Supported Formats:
  1. CSV: Useful for spreadsheets and data manipulation.
  2. JSON: Ideal for integration with applications or APIs.
  3. XML: Used for structured data sharing.

Steps to Export a Report:

1. Run the report or open an existing saved report.
2. Click the Export button.
3. Select the desired format and download the file.

Use Cases for Reports

1. IT Operations:

   • Monitor server errors by host and alert teams to spikes in error rates.

   • Example Query:

     index=main sourcetype=server_logs | stats count by host, error_type
     

2. Business Analytics:

   • Generate a weekly report of website traffic by region.

   • Example Query:

     index=web_logs | stats count by region
     

3. Security Auditing:

   • Identify unauthorized login attempts grouped by IP address.

   • Example Query:

     index=auth_logs status=failed | stats count by ip_address
     

6.2 Dashboards

1. Definition

• A dashboard is a collection of panels, where each panel represents a visualization or report.
• Dashboards provide a real-time, interactive view of your data.

Why Use Dashboards?

• Monitor critical metrics like server health or error rates in one place.
• Enable interactivity, such as filtering data by time or category.
• Share key insights across teams.

2. Creating a Dashboard

Steps to Create a Dashboard

1. Navigate to the Dashboards menu in Splunk.

2. Click "Create New Dashboard".

3. Fill in Dashboard Details:

   • Title: Name your dashboard (e.g., "System Monitoring Dashboard").
   • Permissions: Set visibility (private or shared).

4. Add Panels to the Dashboard:

   • Option 1: Use an Existing Report:

     • Select a saved report to add its visualization.

   • Option 2: Create a New Search Query:

     • Write and execute a query, then add it to the dashboard.

     • Example:

       index=main | stats count by host | timechart count by host
       

3. Customizing Dashboards

Using the Drag-and-Drop Editor

• Splunk provides a visual editor for dashboard layout:
  • Resize Panels: Adjust the size to fit more data or improve readability.
  • Move Panels: Rearrange panels to prioritize critical metrics.

Adding Interactivity

• Inputs: Make dashboards dynamic by adding:
  • Dropdowns: Allow users to filter by categories (e.g., hosts or regions).
  • Date Pickers: Let users change the time range.
  • Text Boxes: Enable keyword searches within the dashboard.

Example of a Dynamic Query:

index=main host=$host_name$ | stats count by error_type

• $host_name$: A token linked to a dropdown input for selecting a specific host.

4. Sharing Dashboards

Set Permissions

• You can control who can view or edit the dashboard:
  • Private: Visible only to you.
  • Shared: Accessible by specific roles or all users.

Sharing Options

1. Public URL:
   • Generate a link to share the dashboard externally.
2. Embedding:
   • Embed the dashboard in external web pages or applications.

Advanced Panel Customizations

• Each panel in a dashboard can be tailored to enhance its functionality and appearance.

Adding Drilldowns

• A drilldown allows users to click on a panel element (e.g., a bar in a chart) to navigate to a more detailed view.
• Steps to Add a Drilldown:
  1. Click Edit Panel on the desired dashboard panel.
  2. Under Drilldown Options, choose:
     • Link to Another Dashboard: Navigate to a related dashboard.
     • Run a New Search: Open a detailed search based on the clicked value.
     • Custom URL: Redirect to an external link.

Changing Panel Appearance

• Modify titles, descriptions, and data appearance for clarity.
• Example:
  • Title: "Server Errors by Host"
  • Description: "Displays the count of errors grouped by host for the last 24 hours."

Dynamic Dashboards with Tokens

• Tokens allow you to pass user inputs (e.g., dropdown selections) into search queries dynamically.

How Tokens Work

1. Add an input control (e.g., dropdown or text box) to the dashboard.
2. Assign a token to the input (e.g., $host_name$).
3. Use the token in search queries to reflect user choices.

Example:

• Query:

  index=main host=$host_name$ | stats count by error_type
  

• Result:

  • If the user selects server1 from the dropdown, the query will dynamically search for host=server1.

Advanced Sharing Options

1. Embedding Dashboards:

   • Generate an embed code to include the dashboard in an external webpage.
   • Steps:
     1. Open the dashboard and click Embed.
     2. Copy the generated HTML code.
     3. Paste it into your webpage or application.

2. Public Links:

   • Share dashboards with external users via a public URL (if permitted by your organization).
   • Important: Ensure sensitive data is not exposed when sharing publicly.

Dashboard Best Practices

1. Keep It Simple:
   • Avoid clutter by displaying only the most critical metrics.
   • Use fewer but impactful panels.
2. Use Consistent Visualizations:
   • Ensure the same metric is always represented by the same type of chart.
3. Optimize Performance:
   • Use efficient queries to minimize loading times.
   • Limit the time range for searches (e.g., last 7 days instead of all time).

Real-World Dashboard Use Cases

1. IT Monitoring Dashboard:

   • Panels:

     • CPU Usage by Server (line chart).
     • Error Counts by Application (bar chart).
     • Active Sessions (single value).

   • Example Query for Error Counts:

     index=main sourcetype=app_logs | stats count by app_name, error_type
     

2. Sales Performance Dashboard:

   • Panels:

     • Total Sales by Region (pie chart).
     • Daily Sales Trend (line chart).
     • Top 10 Products (bar chart).

   • Example Query for Top Products:

     index=sales_logs | top product_name
     

3. Security Analytics Dashboard:

   • Panels:

     • Failed Login Attempts (timechart).
     • Top Suspicious IPs (table).
     • User Login Trends (line chart).

   • Example Query for Suspicious IPs:

     index=auth_logs status=failed | stats count by ip_address
     

Conclusion

Key Differences Between Reports and Dashboards

Feature	Reports	Dashboards
Purpose	Focus on a single saved search.	Combine multiple panels and inputs.
Scheduling	Can be scheduled to run periodically.	Real-time updates without scheduling.
Interactivity	Limited to filters and exports.	Highly interactive with inputs.
Sharing Options	Share via email or export.	Share via embed links or permissions.

Creating Reports and Dashboards (Additional Content)

1. Frequently Overlooked But Testable Concepts (High-Yield Extras)

#	Concept	Suggested Insertion Point	Likelihood on Exam	Explanation
1	Report scheduling depends on permissions	Before “6.1.4 Scheduling Reports”	Very Common	If the report is not shared properly, scheduled reports may silently fail to run.
2	Reports are a type of Knowledge Object	During “6.1.2 Creating a Report”	Moderate	Often used in multiple-choice questions to test knowledge object classification.
3	Dashboard tokens have syntax restrictions	“6.2.3 Tokens” section	High Frequency	Tokens cannot be used inside raw-text matching (e.g., *error*).
4	Drilldown links support token passing	“6.2.5 Drilldowns” section	Moderate	Users can click a chart element and pass a token value to another search or dashboard.
5	Report export formats only include raw data	“6.1.5 Report Export Options”	Yes	Exporting to CSV/JSON includes data, but not the visualization (e.g., pie chart).

2. Reports – Additional Concepts

Reports Are Knowledge Objects

• Once a report is saved, it becomes a Knowledge Object in Splunk.

• Knowledge Objects are user-created components that enhance Splunk's functionality and reusability.

• Other examples include: field extractions, event types, macros, alerts, and lookups.

Why It Matters:
SPLK-1001 may include this as a trick option:

“Which of the following is NOT a knowledge object?”

Correct answer must not be "Report".

Permissions Affect Report Scheduling

• If a report is saved as private, its scheduling features may be limited or disabled.

• To allow email delivery or scheduled execution:

  • The report must be shared with appropriate user roles or apps.

  • The Splunk instance must have email settings configured.

Example Exam Question:

A user complains their scheduled report never runs. What’s a likely cause?
Correct answer: The report is not shared publicly or with the necessary role.

3. Dashboards – Token and Command Behavior

Transforming Commands Limitation in Dashboards

• Within a single SPL query, you can only use one transforming command (e.g., stats, chart, or timechart).

• Mixing them in one pipeline causes an error.

Invalid Example:

index=main | stats count by host | chart avg(response_time) by host

Correct Approach: Use only one transforming command or separate queries across different panels.

Token Placement Limitations

• Tokens ($token$) are powerful for dynamic dashboards, but they have limited scope:

  • Valid in field-based conditions:

    index=main host=$host_token$
    

  • Invalid in free-text or raw keyword matching:

    index=main *$token$*   ← Not allowed
    

Why This Matters:
Questions may test valid vs. invalid token use, particularly in dashboard panel queries.

Drilldown Links Can Pass Tokens

• A drilldown is an interactive dashboard feature that lets users:

  • Click on a chart element (e.g., bar, pie slice, line point).

  • Trigger a token with that value (e.g., selected host or status_code).

  • Redirect to:

    • Another dashboard.

    • A custom search query.

    • A search with tokenized input.

Example:

index=main host=$click.value$ | stats count by error_type

Why This Matters:
Expect questions like:

Can a chart panel support a drilldown that passes a clicked value to another dashboard?

Answer: Yes, using tokens.

Report Export Behavior

• When exporting a report to CSV, JSON, or XML, only tabular data is included.

• Visualizations (e.g., pie charts, bar graphs) are not included in the export.

Example Scenario:

A user exports a report but doesn't see the chart in the exported file. Why?
Correct answer: Charts are not included in exported CSV or JSON files.

Recap Table: Exam-Sensitive Additions

Concept	Clarification
Reports are knowledge objects	They are saved SPL results with optional visualizations and schedules
Scheduling requires shared permissions	Reports set to “Private” may fail to send scheduled emails
Tokens have scope limitations	Cannot be used with *token* inside raw data searches
One transforming command per query	stats + chart together = invalid in a single search
Drilldowns support token passing	Clickable charts can pass values via tokens to another panel/query
Exported reports don’t contain charts	Only tabular data is included; visuals are for display only