Sharing results with others

It is often convenient to share a specific set of results with another user. You could always export the results to a CSV file and share it, but this is cumbersome. In earlier versions of Splunk, a URL could be saved and shared; in version 6.2, things are a bit different (although you still can save your search as a bookmarked URL).

The URL

To share your search as a bookmarked URL, you can click on the share icon to view the Share Job dialog:

From here, you can simply right-click on the share icon and bookmark your search for later use:

You can also share your search and search results in a variety of other ways, starting by clicking on the Save As link:

This lists your options for saving the search and search results. Your choices are the following:

• Report
• Dashboard Panel
• Alert
• Event Type

Save as report

To save your search as a report, click on the Report link. This opens the Save As Report dialog:

From here, you need to do the following:

1. Enter a Title (or name) for your report.
2. Enter an optional Description to remind users what your report does.
3. Indicate if you'd like to include the Splunk Time Range Picker as a part of your report.

Once you click Save, Splunk prompts you to either review Additional Settings for your newly created report (Permissions, Schedule, Acceleration, and Embed), Add (the report) to Dashboard (we will talk more about dashboards in Chapter 5, Simple XML Dashboards), View the report, or Continue Editing the search:

In my example, I named my report My Error Report, added a description (a simple example of a save as report), and included the Time Range Picker. The following screenshot displays the saved report after clicking View:

The additional settings that can be made to the report are given as follows:

• Permissions: Allows you to set how the saved report is displayed: by owner, by app, or for all apps. In addition, you can make the report read only or writeable (can be edited).
• Schedule: Allows you to schedule the report (for Splunk to run/refresh it based upon your schedule). For example, an interval like every week, on Monday at 6 AM, and for a particular time range.
• Acceleration: Not all saved reports qualify for acceleration and not all users (not even admins) have the ability to accelerate reports. Generally speaking, Splunk Enterprise will build a report acceleration summary for the report if it determines that the report would benefit from summarization (acceleration). More on this topic later in Chapter 2, Understanding Search.
• Embed: Report embedding lets you bring the results of your reports to large numbers of report stakeholders. With report embedding, you can embed scheduled reports in external (non-Splunk) websites, dashboards, and portals. Embedded reports can display results in the form of event views, tables, charts, maps, single values, or any other visualization type. They use the same formatting as the originating report. When you embed a saved report, you do this by copying a Splunk generated URL into an HTML-based web page.
  

Save as dashboard panel

We'll be discussing dashboards in Chapter 5, Simple XML Dashboards but, for now, you should know that you can save your search as a new dashboard or as a new panel in an existing one. Permissions can also be set:

Save as alert

An alert is an action that a saved search triggers based on specified results of the search. When creating an alert, you specify a condition that triggers the alert (basically, a saved search with trigger conditions). When you select Save as Alert, the following dialog is provided to configure search as an alert:

Save as event type

Event types are a categorization system to help you make sense of your user-defined data fields. It simplifies searches by letting you categorize events. Event types let you classify events that have common characteristics. When your search results come back, they're checked against known event types. An event type is applied to an event at search time if that event matches the event type definition.

The simplest way to create a new event type is through Splunk Web. After you run a search that would make a good event type, click Save As and select Event Type. This opens the Save as Event Type dialog, where you can provide the event type name and optionally apply tags to it: