Re: Base Searches

WanLohnston · ‎02-05-2026

Hi,

I was wondering if it's at all possible to use a very broad query as a base search and then use queries to filter it down?

Example would be a base search of all IDs, then a query using that base search to filter it down by a particular group.

bowesmana · ‎02-05-2026

The important point to remember about base searches is that they are limited in volume and sometimes you can make your overall dashboard performance worse. They are not intended as a vast lookup.

Given that, yes you can make a somewhat broad search, for example

index=abc
| stats count by id a b c

and then have 4 sub searches that do

1. | stats dc(id) as ids

2. | stats sum(count) as count by a

3. | stats sum(count) as count by b

4. | stats sum(count) as count by c

Maybe if you gave a bit more detail and some of the search we could better advise if makes sense.

gcusello · ‎02-05-2026

Hi @WanLohnston ,

yes, it's possible:

you must create a base search, with all the levels of complication and then use it as the starting point for the searches in each panel.

for more details see at https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/simple-xml-dashboards/9.4...

Ciao.

Giuseppe

Base Searches

Classic dashboard

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation