splunk | reporting use cases
DESCRIPTION
TRANSCRIPT
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create ReportACTOR: Report Developer
Request report
Manager / Executive
Report Developer
Create / modify report
content
exampletable / chart / graph
Publish report
e.g. bandwidth utilization of internet connections
Create report layout
Review report
Create new report
alt - want to do a variation of existing report
Select report
where content goes (which column, alignment, etc.)
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report | CREATE REPORT CONTENT
Report Developer
Format label and chart graphics/
colors
e.g. bar chart showing # users / host
Identify what the content should look
like
Map fields to axes
Identify what you're trying to show with the content
e.g. trend over time, or top level distribution, or comparison
alt - just want raw results / tabular data
Select option to show raw
results
alt - chose existing report
templateOR
Identify fields
OR
Find data / specify data set
Done
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report Content | MAP FIELDS
Report Developer
Format label and chart graphics/
colors
Review content
Map field to x-axis
alt - x-axis field is
continuous
Select binning options
alt - want more info than just count on
y-axis + field is numeric
Set additional properties
(color, size, shape)
alt - scatter plot chart
Refine # values
displayed on x or y-axis
alt - Too many values on x or y axis or z (split
by)
Specify function(s)
avg, min, max, sum
Map field(s) to Y-axis
alt - want to split y-axis by another
field (e.g. stacked bar)
Select another field for
split
Remove specific values
(outliers)
+ / OR
Specify function avg, min, max, sum
alt - tableformat time
axis (time-based
binning option, scale
alt - x-axis is categorical (e.g.
top referrer)
format data (# to show, ,sorting
options (e.g. frequency), groupings)
Set additional properties
column size, row height, labels,
etc.
alt - table
alt - want scatterplot / multi-values
Specify what values to display (TBD)
Select series policy
SCALE: limit time range to where data exists OR show more time.
format data (row sort
order)
- # values to display (sum time vs. max time OR select specific values), how to aggregate "other", what to do with null values (suppress?)
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report Content | FIND/SPECIFY DATAACTOR: Report Developer
Report Developer
Ensure data is
reportable / available as a field
based on source name / IDe.g. net flows
Ensure data that
I'm looking for is there
and complete
exception - data source
not there
Request to add data source
Identify and search for key field value(s) - to detail (slicing)
exception - data fields not there
Request to add data
field
Verify that data is in results
(e,g. bytes trans.)
exception - data not
interpreted correctly / fully
Request to add data
new search ORsaved search ORsaved search + changes
limitation of splunk
Select existing data set (e.g.ss)
what about users?
alt - select existing data
setOR
modify s
earc
h
exception - data
incomplete
TBD
project by viewing it as a summary table, chart graph, etc. when building, if I can't find... - exception
also could modify search to extract addn'l fields
Ensure 1:1 correspond
ence between incidents
and events
based on expected volume, sanity checks
(filter out irrelevant and group and name dup data (status code != 200
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report | CREATE REPORT LAYOUTACTOR: Report Developer
Report Developer
Create report footer
Create report header
Review Report
+
Position report
content
+
UP
DA
TE
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report | PUBLISH REPORTACTOR: Report Developer
Report Developer
Add report to relevant
dashboard(s)
Identify report
reviewers
alt - want to make report available for users to run/view at
any time
Notify users about new
report
Send report
alt - decide to save entire
report for re-use with other data
Create unique
template name
Save template (format & content)
Schedule report for recurring delivery
AND / OR
alt - save (dynamic
timeframe / values)
save/sched////
TBD
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Review ReportACTOR: Manager / Executive
Manager / Executive
Ask report developer to fix / update
report content and/or
tempalte
Receive notification that report is available
Open / view report
alt - identify problem with
report
Review data
Close report
Follow up with relevant
employees to investigate and resolve
alt - identify business
issue
alt - drill-down to get more
info?
Use Cases
Beth Goldman, User Experience Manager | June 2008Use Cases
Create Report | CREATE REPORT CONTENT
Report Developer
Format label and chart graphics/
colors
e.g. bar chart showing # users / host
Identify what the content should look
like
Map fields to axes
Identify what you're trying to show with the content
e.g. trend over time, or top level distribution, or comparison
alt - just want raw results / tabular data
Select option to show raw
results
alt - chose existing report
templateOR
Identify fields
OR
Find data / specify data set
Done