Is it just me or is 'Reporting' not actually a report package at all? See a mail exchange I have had with support below. Has anybody used a third party package with Splunk to generate management reports?
Email extract below: ..............
Please see attached file here. I suspect we will use an external reporting package in the short term but I view this as serious deficiency in Splunk. I am not expecting a 'solution' to this but it would be good to know that the features I am requesting are being put into Splunk at some point. Having just paid over 100k for this package I am very disappointed that I am having to export as a .csv in order to use a third party reporting package!! I fully expect to be asked some searching questions about this by management, having recommended the product!
General Comments: 1) I want to be able to format a business oriented report based on results from the datasets we have collected. The current 'report' module is actually just a way to put together charts and tables, which we can do programatically in anycase.
2) Please see any reports package for the basic features we would want to see. As a minimum the following features would be required:
A) Titling. I need to be able to add a title to a report. I need to be able to title individual elements, e.g. Chart A showing Trade Volumes foloowed by a chart.
B) Control over pagination and layout. If I print a standard view or a report view I have no control over pagination and layout. The results can look very poor indeed.
C) Header and footer information. For multi page reports I need header and footer detail which would include text, page numbering etc. Again, see any reports package for an exhaustive list.
D) Support for general metadata such as Date, Time etc. If I issue a report, its likely to relate to a particular day and would potentially be used for regulatory purposes. If its not dated its useless!!
E) Support for multi page printouts of tabular information. If I have a table with 300 pages I currently have no way to print it!! My only option is to build yet another screen and output to CSV then use a third party package to format. This is very poor indeed!!
F) Support for formatting of columns of tabular information.
Specific Comments on Current Implementation: 1) See the attached file. You will see that what I am getting is a screen dump NOT a report based on the data retrieved. Basically when you use report and hit print, it simply rescales to the current default print page size (no opportunity to resize or rescale) and it blindly prints the redered page. I get all the application menus and the big report buttons!! Currently I will be forced to use a third party tool to cut and past results into a hand written report!! This is not great at all.
2)Once the print completes, the page resizes again but the chart doesn't re-render. This is a general problem with charts which don't re-display after a render change.
3) The 'report' function actually gives much less than the simple xml approach (our summary reports are now being built in this way).
So, in summary I don't actually think your 'report' tool is a report tool at all. Its just another way to build screens without coding. As such it doesn't fulfill any of my reporting requirements (and I suspect I am not alone in this).
As a reponse I need to know if Splunk accepts this as a deficiency and if a solution will be added to the roadmap and what the initial timeframe will be. This is a serious issue for us and spoils an otherwise excellent product.
If Splunk doesn't want to write a report library from scratch how about integrating it with an existing one? There appear to be a few flash based ones out there (I don't have any experience with any of them, so I don't have a specific recommendation). Or maybe you could provide a hook into Google charts... http://code.google.com/apis/chart/
You make some good suggestions. We've heard some of these from other customers as well and they are certainly on our long term roadmap. I'd love to better learn about your use cases to help prioritize -- I will email you offline to set up a time.
As far as the bugs you encountered (such as sizing/rendering issues), please do submit them via firstname.lastname@example.org if you haven't already so we can take care of them asap.
I recognize that Splunk is not a fully featured reporting tool, nor was it intended to be. Reporting is just one of many things we do, and while some customers are perfectly happy with our current, relatively simple implementation, we do have customers that demand more. Several, as the previous commenter suggested, have integrated with other reporting packages/UIs (such as Google charts) either via scripts or our REST API with great success.
Gaurav Gupta (Dir. of Product Mgmt at Splunk)
I would like to echo the comments of Mr. Stuart. We purchased Splunk for the specific purpose of generating reports. We did see the demo of reports and looked at the wysiwyg reporting. All looked very well. We even ran a many searches during the evaluation. My mistake was not running through all the reporting scenarios during evaluation. We were just so impressed with the indexing capabilities, we totally forgot our main purpose, generating usable business reports.
Had we actually taken notice of the lack of reporting OR seen this post, we might be using a different product today, or simply waiting for the next release with real reporting.
I beg of you splunk, please push reporting to a higher priority. I understand using data to troubleshoot events, and watch values and trends. But the bottom line is that eventually output will be required, output that upper management can read, understand, and respond to.
As a FYI, we use Splunk Reports as a DataTable generator via the Splunk ODBC driver and pipe the results into Tableau, Telerik Charting, etc. so we are not using the report display features of the reports, just the canned dataset generation.
It's a pain to maintain because we have to hand edit each report if infrastructure changes -- the ability to just hand off a splunk query to Splunk ODBC Driver is soulfully missing