Dashboards & Visualizations

What's the difference between "searchstring" and "query" when defining a search in XML?

dovelsh12223621
Path Finder

When I want to define a search in view (XML), I usually try the element "searchstring" OR "query". However, I don't really know the difference between them. Please give me some help, thanks.

1 Solution

ngatchasandra
Builder

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>

View solution in original post

juvetm
Communicator

hi
A search string is the combination of characters and words that make up the search being conducted. while A query is a request for information from a database.

0 Karma

fdi01
Motivator

which come after the query tag only affects research, while is not the case with the tag searchstring

 ......
   <search >
        <query>
          ....your_search
        </query>
        ...**what you put here only affects the research that is in the query tag.**
      </search

ex:

...
 <search id="baseSearch">
    <query>
      index=_internal source=*splunkd.log | stats count by component, log_level
    </query>
    <earliest>-30d</earliest>
    <latest>now</latest>              // this   only affects the research above. 
  </search>
0 Karma

ngatchasandra
Builder

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>

gyslainlatsa
Motivator

hi
this is a difference between searchstring and query

you can use

<search>
           <query>   </query>
 </search>

directly into the mark dashboard or the mark form and in the chart,event,list,map,single,table

while searchstring
is used only in mark chart,event,list,map,single,table

so if you use searchstring
directly into the mark dashboard or the mark form, it will not work

0 Karma

gyslainlatsa
Motivator

was used in previous versions

<searchString>-------</searchString>

used from version 6.2.x and both do the same job

<search>
       <query> ----- </query>
 </search>

dovelsh12223621
Path Finder

Thanks,but "searchstring" is on longer use in 6.2.2? Maybe,not. I want to know the difference between them."query" is better than "searchstring" ? something else,please,tell me.

0 Karma

jeffland
SplunkTrust
SplunkTrust

See here.

0 Karma

gyslainlatsa
Motivator

following this link:
http://www.splunk.com/view/SP-CAAANMA and go click on download course description.

0 Karma

dovelsh12223621
Path Finder

Thanks for your help,I have found ways to circumvent this question. I wil keep learning the improvements about new version.Thank you,very much .

0 Karma

chimell
Motivator

Hi
this is the difference between "AND" and "OR"
when we use :
AND make sure that all the condition is verified
OR make sure that at least one condition is verified

0 Karma

chimell
Motivator

Hi dovelsh12223621
Please explain me well your question
If possible post me your xml code

0 Karma

jeffland
SplunkTrust
SplunkTrust

If you used angular brackets around your XML items, you need to post those as code. Either click the button for that above the text box or leave one row blank before the code and indent by four spaces.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...