5.4 Reports and Dashboards
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> In this video, we'll build on
00:00
our search knowledge further to
00:00
create reports and dashboards.
00:00
Reports are basically saved searches or pivots.
00:00
We haven't talked about pivots,
00:00
but it's an alternative way of presenting
00:00
data without using the Splunk search processing language.
00:00
When creating a pivot,
00:00
you can select the rows and columns you want and play
00:00
with different formatting and statistical options.
00:00
It can be useful,
00:00
but I think it's more important in the beginning to
00:00
get used to using the Splunk search language.
00:00
Here are a couple of screenshots for reference.
00:00
When you run a search,
00:00
you can click under statistics, the pivot option.
00:00
Then it takes you to a screen like this
00:00
where you have a lot of
00:00
different options for changing how the data is presented.
00:00
Reports can be scheduled or
00:00
you can run them when you feel like it.
00:00
You can also have a report trigger actions like an alert.
00:00
Dashboards can help you visualize and interact with data.
00:00
The user could, for example,
00:00
type in and submit
00:00
a keyword that returns events that match it.
00:00
When a dashboard takes in
00:00
user input it can also be referred to as a form.
00:00
Apps with user interfaces have them in
00:00
the form of dashboards
00:00
and you can make your own pretty easily.
00:00
You can use the Splunk interface
00:00
for creating simple dashboards
00:00
or dive into the simple XML source code
00:00
for more advanced changes.
00:00
You also have the option of
00:00
converting a dashboard to HTML to work with.
00:00
With that introduction,
00:00
let's get into Splunk and take a look.
00:00
I have a search here.
00:00
This is looking at the disk usage on my Splunk server.
00:00
To save it as a report.
00:00
I'm going to go to save as, Report,
00:00
and type in Splunk disk usage and go to Save.
00:00
Now, if I want to view it, I can click here.
00:00
If I wanted to change the time-frame
00:00
I was looking at, I could go up here.
00:00
I can also go here and do things like edit permissions.
00:00
I can let other people look at
00:00
this and I can also edit the schedule.
00:00
Once I schedule this,
00:00
I have a few different options come up.
00:00
I could, for example,
00:00
set it to run every week,
00:00
a certain time and day over a certain time range.
00:00
I also have the option of setting a priority.
00:00
This is useful in cases where you may
00:00
have multiple reports and searches
00:00
going and don't have
00:00
a powerful enough environment to run them all at once.
00:00
The schedule window option down here lets
00:00
me pick a time frame where Splunk can
00:00
pick when to run it in order to
00:00
improve the efficiency of
00:00
the searches and reports that are running.
00:00
If you have a report that you really only
00:00
need once a day and a lot of other searches going,
00:00
you could tell it to run anytime in one of these windows.
00:00
The scheduled reports are very similar to alerts.
00:00
Here we can add
00:00
a trigger action that's the same for an alerts,
00:00
such as sending an email with the attached results.
00:00
We could also place this report inside the dashboard.
00:00
To create a dashboard,
00:00
I can be in the search and reporting
00:00
app and then click Dashboards.
00:00
Then I can click Create new dashboard.
00:00
I'm just going to name it here and click Create.
00:00
I'm going to stick to the user interface
00:00
for this example.
00:00
But as you remember,
00:00
you do have the option of modifying the source code.
00:00
One of the first things that I may
00:00
want to do is add a panel.
00:00
I could create a new one or I could
00:00
build on off the report we just made.
00:00
If I show more,
00:00
I can add our Splunk dish usage report.
00:00
I could give it a name and I can
00:00
also play with the visualization.
00:00
None of these are particularly useful for this search,
00:00
but some of them are really good,
00:00
like using the Geo Stats option can be
00:00
really good for a variety of things
00:00
like looking at the sources of logins.
00:00
Or you could have a breakdown
00:00
of the types of errors that you're
00:00
seeing for a specific source type.
00:00
I'm going to go ahead and add another panel
00:00
and create a new this time.
00:00
I'll select Statistics table
00:00
and have it look at all time.
00:00
I'll leave the option of using the time picker.
00:00
I'm just going to add in a simple search here.
00:00
This looks at Windows event logs and just adds it as
00:00
event count by username.
00:00
Then I add this to the dashboard.
00:00
Now if I want, I can move these around.
00:00
If I think this one should be on
00:00
top or maybe just
00:00
off to the side of that one I can do that.
00:00
For some of these formatting options,
00:00
I can do something like add an overlay of a heat-map,
00:00
where it gives these higher number a darker color.
00:00
I can also add a user input,
00:00
such as time input,
00:00
where they can select the time that they
00:00
want for the results on
00:00
this dashboard when they're set to pay attention to that.
00:00
For fun, I'm going to change this to
00:00
a dark theme and click Save.
00:00
It'll go ahead and refresh this.
00:00
Great. Here's our brand new dashboard.
00:00
[NOISE] Now, do you
00:00
remember what a dashboard
00:00
that takes in user input can be called?
00:00
There's a specific word I'm looking for.
00:00
The answer is form.
00:00
Dashboards can be made to let users click on options and
00:00
enter an information that
00:00
changes what's presented on a dashboard.
00:00
In our next video,
00:00
we'll cover some app basics.
Up Next
Similar Content
