Explore the Splunk reporting features and how search and reporting are related.
- [Instructor] Search and Reporting are really closely tied concepts in Splunk that's why the app is called Search and Reporting. Really you can think of reports a bit like saved searches. Let's start by looking over the built in reports again. Click on the Reports tab and take a look. First click on the drop down arrow next to the first report Errors in the last 24 hours. This will show you the detailed attributes of the report itself and it will give you the option to edit those attributes.
Before we do that let's click the link that says Open in Search. This will show you the underlying search query that the report uses. At this point this should look familiar and you can pretty much understand what the report is actually doing. In this example we're looking for a few different search terms that indicate an error, it's also including any events where the source type begins with a strain access underscore and includes one of the three error codes listed. Click back on the Reports tab and open that drop down again.
Click the Edit button and click Edit Schedule. We looked at this in the overview but this time try clicking on Custom time. Not only can you schedule when the report is run this lets you schedule the actual time range you wanna use for the report. If we go back you can set your trigger actions from this dialog like sending an email or running a script.
Before we move on take a few minutes to open some of the other reports and search, you'll be able to see how the complex syntax we just learned can be used in the context of reporting. For example let's look at the messages by minute last three hours. You can see this has a very complex query behind it but it's not so hard to understand if you break it down into these commands and this initial search. We'll cover some of these advanced commands in a minute, timechart in particular.
- Installing Splunk
- Filtering search data
- Advanced search syntax
- Creating reports and dashboards
- Creating alerts and actions
- Configuring remote data and multiple data streams