Solved: Re: Automatic Simple XML Dashboard: How to remove ...

TiagoTLD1 · ‎10-24-2016

Hello,

I have a base search as simple as

<search id="root">
    <query>index=w                     
     </query>
  </search>

And the I have

<search base="root">
  <query> filter1=A AND filter2=B
 </query>
</search>

This is not working because Splunk adds a pipe between the root and leaf search:

index=w | filter1=A filter2=B

What I wanted to happen is

index=w filter1=A filter2=B

Any ideas how to change this behaviour?

cmerriman · ‎10-24-2016

try this

<search base="root">
   <query> search filter1=A filter2=B
  </query>
 </search>

You're not going to be able to remove that pipe. it's either add the filters to the base search or do a |search in the base="root"

cmerriman · ‎10-24-2016

try this

<search base="root">
   <query> search filter1=A filter2=B
  </query>
 </search>

You're not going to be able to remove that pipe. it's either add the filters to the base search or do a |search in the base="root"

TiagoTLD1 · ‎10-25-2016

Thank you, that was my suspition. I'll have to live with that.

Automatic Simple XML Dashboard: How to remove an unwanted pipe in the base search of a dashboard?