Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What's the difference between "searchstring" and "query" when defining a search in XML?

dovelsh12223621
Path Finder
‎04-23-2015 01:49 AM

When I want to define a search in view (XML), I usually try the element "searchstring" OR "query". However, I don't really know the difference between them. Please give me some help, thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-23-2015 06:47 AM

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>

View solution in original post

Reply
Solved! Jump to solution

juvetm
Communicator
‎04-23-2015 11:01 AM

hi
A search string is the combination of characters and words that make up the search being conducted. while A query is a request for information from a database.

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-23-2015 07:02 AM

which come after the query tag only affects research, while is not the case with the tag searchstring

 ......
   <search >
        <query>
          ....your_search
        </query>
        ...**what you put here only affects the research that is in the query tag.**
      </search

ex:

...
 <search id="baseSearch">
    <query>
      index=_internal source=*splunkd.log | stats count by component, log_level
    </query>
    <earliest>-30d</earliest>
    <latest>now</latest>              // this   only affects the research above. 
  </search>
0 Karma
Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-23-2015 06:47 AM

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-23-2015 03:02 AM

hi
this is a difference between searchstring and query

you can use 

<search>
           <query>   </query>
 </search>

directly into the mark dashboard or the mark form and in the chart,event,list,map,single,table

while searchstring
is used only in mark chart,event,list,map,single,table

so if you use searchstring
directly into the mark dashboard or the mark form, it will not work

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-23-2015 02:02 AM

was used in previous versions

<searchString>-------</searchString>

used from version 6.2.x and both do the same job

<search>
       <query> ----- </query>
 </search>
Reply
Solved! Jump to solution

dovelsh12223621
Path Finder
‎04-23-2015 02:14 AM

Thanks,but "searchstring" is on longer use in 6.2.2? Maybe,not. I want to know the difference between them."query" is better than "searchstring" ? something else,please,tell me.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-23-2015 02:20 AM

See here.

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-23-2015 02:20 AM

following this link:
http://www.splunk.com/view/SP-CAAANMA and go click on download course description.

0 Karma
Reply
Solved! Jump to solution

dovelsh12223621
Path Finder
‎04-23-2015 08:24 PM

Thanks for your help,I have found ways to circumvent this question. I wil keep learning the improvements about new version.Thank you,very much .

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎04-23-2015 02:00 AM

Hi
this is the difference between "AND" and "OR"
when we use :
AND make sure that all the condition is verified
OR make sure that at least one condition is verified

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎04-23-2015 01:55 AM

Hi dovelsh12223621
Please explain me well your question
If possible post me your xml code

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-23-2015 01:53 AM

If you used angular brackets around your XML items, you need to post those as code. Either click the button for that above the text box or leave one row blank before the code and indent by four spaces.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...