Report On Data

Now that you've added data to your app, let's explore the types of searches and reports that you can run. Searches are your main tool for exploring your data in using Splunk Enterprise. For more about search, see Get started with Search in the Search Manual.

  1. Navigate back to your app's home page by clicking the Splunk logo in the upper left of the browser window, then click the tile for your app from the list on the left.
  2. The default home page is the apps's Search page.

  3. In the Search box, enter "index=<your index name> | timechart count(to) by mailer", replacing <your index name> with the index you created in Add data. Leave the time span to the right of the search box set to All time.
  4. This step creates a hard dependency on the existence of your index. To learn how to avoid doing this, see Use macros to avoid index dependency.

    You should see results that look like this:

  5. Save this search as a report by clicking Save As, then selecting Report.
  6. For Title, enter "Top recipients by mailer" and optionally add a description.
  7. Click Save, then click Continue Editing.

Recap

We'll use this search in a dashboard later, but first let's take a look at how Splunk Enterprise saved the search as a report, also known as a saved search.

By default, the search is saved with private permission. Private objects are stored to a location outside of apps in Splunk Enterprise. Let's take a look at where the search ended up and see how we can move it back inside of our app.

Private objects are stored in $SPLUNK_HOME/etc/users/your_username/your_app/local. This folder contains all objects marked as private, including the ui-prefs.conf configuration file that contains customizations about the display of apps, and savedsearches.conf with the configuration settings for the report you saved.

For more, see ui-prefs.conf and savedsearches.conf in the Admin Manual.

Change the scope of the report

In its current location, this search is available only to our current user, which causes problems when you want to distribute your app. Let's move it back into the app.

  1. Return to Splunk Web and click the Reports tab in the navigation bar.
  2. You should see your report along with any other reports for other apps installed on your Splunk Enterprise instance.

  3. Click This App's to view only the reports associated with your app.
  4. The Sharing setting for the report you saved earlier is set to Private, which corresponds to its current location in the app's directory for the current user.

  5. Click Edit, then click Edit Permissions.
  6. Change Display For to App.
  7. Changing this setting moves the stanza defined in the savedsearches.conf file for the report into one of the savessearches.conf files located in your app. You can also make these changes to the configuration files manually.

  8. Click Save to apply your changes.

Now, when you open the $SPLUNK_HOME/etc/apps/your_app/local folder, you'll see that a savedsearches.conf file has been added. If you plan to include this report with the app you distribute to users, be sure to migrate the savedsearches.conf file to the /default directory before deployment. Also, look in $SPLUNK_HOME/etc/users/your_username/your_app/local/savedsearches.conf, and notice that the stanza defining your saved search has been removed.

See also

Use macros to avoid index dependency

Next step

Visualize data