Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Reporting

efelder0
Communicator
‎11-19-2012 06:52 AM

Need a little assistance with reporting. I am currently indexing multiple anti-virus reports into SPlunk daily and are receiving these reports from various Regions globally. (i.e. North America, South America, Europe).

However, I would build 3 seperate reports based on the unique regions.

Report 1 - North America
Report 2 - South America
Report 3 - Europe

Would an EVAL (IF) or CASE statement work here. Here is a subset of the fields that are being indexed: Region Country Location Sub Location

Thoughts?

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎11-19-2012 08:19 AM

You could write a macro that does the reporting and then invoke it along with your selection criteria. For example,
imagine that your macro is named av_summary and contains something like this

sourcetype=av* plus other search terms
| cool transformations here
| stats count by virus sublocation location country
| other cool reporting or charting

You could invoke the macro like this in the search bar

region="Europe" `av_summary`

You could even save a search for each region. But since the underlying macro would be shared, you would have only one place to update the actual report.

It's easy to create a macro, just go to Manager>>Advanced Search>>Macros

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-19-2012 07:18 AM

If you want three unique reports you'll need three unique searches, or a form to fill in a region variable.

0 Karma
Reply

efelder0
Communicator
‎11-19-2012 07:11 AM

I suppose I could setup 3 unique searches and include the statement 'search Region = "North America" and change my output.csv statement.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-19-2012 06:58 AM

What's stopping you from filtering by Region=<report region here> in the search?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...