Help with Reporting

efelder0 · ‎11-19-2012

Need a little assistance with reporting. I am currently indexing multiple anti-virus reports into SPlunk daily and are receiving these reports from various Regions globally. (i.e. North America, South America, Europe).

However, I would build 3 seperate reports based on the unique regions.

Report 1 - North America
Report 2 - South America
Report 3 - Europe

Would an EVAL (IF) or CASE statement work here. Here is a subset of the fields that are being indexed: Region Country Location Sub Location

Thoughts?

lguinn2 · ‎11-19-2012

You could write a macro that does the reporting and then invoke it along with your selection criteria. For example,
imagine that your macro is named av_summary and contains something like this

sourcetype=av* plus other search terms
| cool transformations here
| stats count by virus sublocation location country
| other cool reporting or charting

You could invoke the macro like this in the search bar

region="Europe" `av_summary`

You could even save a search for each region. But since the underlying macro would be shared, you would have only one place to update the actual report.

It's easy to create a macro, just go to Manager>>Advanced Search>>Macros

martin_mueller · ‎11-19-2012

If you want three unique reports you'll need three unique searches, or a form to fill in a region variable.

efelder0 · ‎11-19-2012

I suppose I could setup 3 unique searches and include the statement 'search Region = "North America" and change my output.csv statement.

martin_mueller · ‎11-19-2012

What's stopping you from filtering by Region=<report region here> in the search?

Help with Reporting

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!