https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38726#M8820 <P>Need a little assistance with reporting. I am currently indexing multiple anti-virus reports into SPlunk daily and are receiving these reports from various Regions globally. (i.e. North America, South America, Europe). </P> <P>However, I would build 3 seperate reports based on the unique regions.</P> <P>Report 1 - North America<BR /> Report 2 - South America<BR /> Report 3 - Europe</P> <P>Would an EVAL (IF) or CASE statement work here. Here is a subset of the fields that are being indexed: Region Country Location Sub Location </P> <P>Thoughts?</P> Mon, 19 Nov 2012 14:52:40 GMT efelder0 2012-11-19T14:52:40Z https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38726#M8820 <P>Need a little assistance with reporting. I am currently indexing multiple anti-virus reports into SPlunk daily and are receiving these reports from various Regions globally. (i.e. North America, South America, Europe). </P> <P>However, I would build 3 seperate reports based on the unique regions.</P> <P>Report 1 - North America<BR /> Report 2 - South America<BR /> Report 3 - Europe</P> <P>Would an EVAL (IF) or CASE statement work here. Here is a subset of the fields that are being indexed: Region Country Location Sub Location </P> <P>Thoughts?</P> Mon, 19 Nov 2012 14:52:40 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38726#M8820 efelder0 2012-11-19T14:52:40Z https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38727#M8821 <P>What's stopping you from filtering by Region=&lt;report region here&gt; in the search?</P> Mon, 19 Nov 2012 14:58:30 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38727#M8821 martin_mueller 2012-11-19T14:58:30Z https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38728#M8822 <P>I suppose I could setup 3 unique searches and include the statement 'search Region = "North America" and change my output.csv statement.</P> Mon, 19 Nov 2012 15:11:40 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38728#M8822 efelder0 2012-11-19T15:11:40Z https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38729#M8823 <P>If you want three unique reports you'll need three unique searches, or a form to fill in a region variable.</P> Mon, 19 Nov 2012 15:18:26 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38729#M8823 martin_mueller 2012-11-19T15:18:26Z https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38730#M8824 <P>You could write a macro that does the reporting and then invoke it along with your selection criteria. For example,<BR /> imagine that your macro is named <CODE>av_summary</CODE> and contains something like this</P> <PRE><CODE>sourcetype=av* plus other search terms | cool transformations here | stats count by virus sublocation location country | other cool reporting or charting </CODE></PRE> <P>You could invoke the macro like this in the search bar</P> <PRE><CODE>region="Europe" `av_summary` </CODE></PRE> <P>You could even save a search for each region. But since the underlying macro would be shared, you would have only one place to update the actual report. </P> <P>It's easy to create a macro, just go to Manager&gt;&gt;Advanced Search&gt;&gt;Macros</P> Mon, 19 Nov 2012 16:19:04 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Reporting/m-p/38730#M8824 lguinn2 2012-11-19T16:19:04Z