Page tree

Contents

You can view the overall summary of DNS, DHCP, and IPAM activities in the Home Dashboard page. This page presents a summary view of the following:

  • DDI Summary: Presents statistical information about the DNS, DHCP, and IPAM activities of all Grid members.
  • DNS: Displays the statistical summary of DNS activities. You can export the search results, open in search, and refresh.
  • DHCP: Displays the statistical summary of DHCP activities. You can export the search results, open in search, and refresh.
  • IPAM: Displays the summary of the Top10IPAMv4UtilizedNetworks dashboard.
  • Reporting Health: You can view the license usage by the reporting server:
    • Today's License Usage: Current license usage by the indexer.
    • License Usage Trend per Member: License usage by the indexer per member.


Figure 40.9 Reporting Home Dashboard

About Searches

Searches are criteria that the reporting server uses to save reports and dashboard panels. Each predefined report has an associated search. For more information, refer to the official Splunk documentation: http://docs.splunk.com/Documentation.
To run a search:

  1. From the Reporting tab, select the Search tab.
  2. Enter the search criteria and then click the Search icon.

The search results are displayed in the New Search panel, as illustrated in the New Search View. In the New Search panel, you can save search results as Reports, Dashboard Panel, and Alerts.
When you deploy reporting clustering, we enable Splunk configuration to prevent data loss from forwarders, which may cause duplicated events in the indexer under certain circumstances. When you view reports and dashboards, the events that are already deduped are not duplicated again. However, if you view raw search events (such as write your own search against the indexed data directly), you may still see the duplicated events
The search results are based on the most seen events for the dashboards listed in Table 40.7. To know more about dedup searches, reports, or dashboards, refer to http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Dedup.


Note: When you click Open in Search, the content of the entire page (alert/ dashboard/ report) is encoded and displayed in the Search page. To avoid encoding, go to Activity tab -> Jobs. The Jobs page lists the search job history in the form of links. The top one is the latest search job executed by the alert or dashboard or report. The search string is not encoded when you click this link to run the search.



Table 40.7 Dashboards and Deduplicate Key(s)

Dashboard

Deduplicate Key(s)

Inactive IP Addresses

Network view + IP address

DHCPv4 Top Utilized Networks

Network view + network

DNS Statistics per DNS View

DNS view

DNS Statistics per Zone

DNS view + DNS zone

IPAMv4 Network Usage Statistics

Network view + Network

IPAMv4 Top Utilized Networks

Network view + Network


Figure 40.10 Sample Search Summary View
 

 
Figure 40.11 New Search View

Best Practices for Customizing Searches

You can optimize the performance of your reporting server and more efficiently view and manage your reports. Depending on the type of search and the data you want to search for, Infoblox recommends that you use the following guidelines:

  • Specify shorter start and end times whenever possible.
    • Time range is one of the most important factor for search performance. Depending on the number of events that need to be loaded from the disk, it might take a long time when you specify a wider time range as it involves a large amount of data.
  • Be specific about the fields you use.
    • Rare searches are faster than dense searches, so be specific whenever possible.
    • Start a search from a smaller dataset and then gradually apply it to bigger dataset.
    • When experimenting searches, start with a small date and time range, and then apply it to a bigger time range only when it is optimized.
  • If a search is running for a long time, you can use the Pause and Stop buttons.
    • You can tune the search criteria and run it again if you stop an ongoing search jobs.
  • Configure the panels to display data only if you have specific input instead of adding too many panels to the dashboard.
  • Scheduling expensive searches.
    • You can configure reports and dashboards by scheduling searches because prefetched search results are displayed each time the reports and dashboards are opened. This reduces the workload on the reporting server without data freshness.
  • Stagger scheduled searches.

Try to stagger your searches whenever possible. When you define how often the reporting server runs a search, be aware of other searches that the server is running. When you schedule the server to run many searches at the same time, the server performance can be negatively affected.

Creating Reports from a Search

You can create reports by saving a search as a report. To save a search as a report:

  1. From the Reporting tab, select the Search tab.
  2. Enter the search criteria and then click the Search icon. The search results are displayed in the New Search panel.
  3. From the Save As drop-down list, click Report to generate a report.
  4. Enter title and description.
  5. Click Save.
  6. Do one of the following in the Your report has been created dialog box:
    • Click View to view your report on the Report page.
    • Click Continue Editing to edit.
    • Click Add to Dashboard to add new report to the dashboard panel.

You can also complete the following settings in the Your report has been created dialog box:

  • Permissions: Click this to edit permissions for your report, as described in Editing Permissions.
  • Schedule: Click this to schedule a report. For information about scheduling reports, see Scheduling Reports.
  • Acceleration: For more information, refer to the Splunk documentation.

Saving a Search as a Dashboard Panel

You can save a search as a dashboard panel.
Do the following to save a search as a dashboard panel:

  1. From the Reporting tab, select the Search tab.
  2. Enter the search criteria and then click the Search icon. The search results are displayed in the New Search panel.
  3. From the Save As drop-down list, click Dashboard Panel to create a dashboard panel.
  4. Click View Dashboard to view dashboard in the Dashboard panel. For information, see Home Dashboards.

Exporting Search Results

You can export the data in the selected search in CSV (comma separated value) or XML format. Note that this may take a long time depending on the amount of data you want to export. To schedule the export of search results to an FTP or SCP or TFTP server configured in the Set up page, select File Transfer Action when creating a scheduled alert, as described in Creating Scheduled Alerts.
To export data in a selected search:

  1. From the Reporting tab, select the Search tab.
  2. Enter the search criteria and then click the Search icon. The search results are displayed in the New Search panel.

  3. Click the Export iconto export search results.
  4. In the Export Results dialog box, complete the following:
    • Format: Select CSV or XML from the Format drop-down list.
    • File Name: Specify a file name for the export file. This is optional.
    • Number of Results:(Limited or Unlimited). If you select Limited, enter the number of results to be exported in the Max Results field.
  5. Click Export.

Saving Search as Alerts

To save a search as an alert:

  1. From the Reporting tab, select the Search tab.
  2. Enter the search criteria and then click the Search icon.
  3. From the Save As drop-down list, click Alert.
  4. In the Save As Alert dialog box, specify all alert settings. For information about scheduling alerts, see Creating Scheduled Alerts.
  5. Click Save.


  • No labels

This page has no comments.