When I want to define a search in view (XML), I usually try the element "searchstring" OR "query". However, I don't really know the difference between them. Please give me some help, thanks.
Hi ,
I think that and are different in some points being given that the new version has improvements
Firstly, note that query is provided with search where you can pass an id
and call it to another place in the same dashboard with base
attribut.
Because query is a part of < searchString >
,You may consider that < SearchString >
was divided into < / query > < / search >
in the new version of splunk and this new have more advantages.
For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.
This is what explains my example: You can run it
<dashboard>
<search id="base">
<!-- The base query as you have it in the search tag of your visualization -->
<query>index = _internal | stats count by sourcetype | head 5</query>
<earliest>-8h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="base">
<!-- Any postprocessing goes here, we don't have any so this is empty -->
</search>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<!-- ...And all the other stuff you want to do. -->
</chart>
<chart>
<search base="base">
</search>
<!-- You get the idea. -->
</chart>
</panel>
</row>
</dashboard>
hi
A search string is the combination of characters and words that make up the search being conducted. while A query is a request for information from a database.
which come after the query
tag only affects research, while is not the case with the tag searchstring
......
<search >
<query>
....your_search
</query>
...**what you put here only affects the research that is in the query tag.**
</search
ex:
...
<search id="baseSearch">
<query>
index=_internal source=*splunkd.log | stats count by component, log_level
</query>
<earliest>-30d</earliest>
<latest>now</latest> // this only affects the research above.
</search>
Hi ,
I think that and are different in some points being given that the new version has improvements
Firstly, note that query is provided with search where you can pass an id
and call it to another place in the same dashboard with base
attribut.
Because query is a part of < searchString >
,You may consider that < SearchString >
was divided into < / query > < / search >
in the new version of splunk and this new have more advantages.
For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.
This is what explains my example: You can run it
<dashboard>
<search id="base">
<!-- The base query as you have it in the search tag of your visualization -->
<query>index = _internal | stats count by sourcetype | head 5</query>
<earliest>-8h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="base">
<!-- Any postprocessing goes here, we don't have any so this is empty -->
</search>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<!-- ...And all the other stuff you want to do. -->
</chart>
<chart>
<search base="base">
</search>
<!-- You get the idea. -->
</chart>
</panel>
</row>
</dashboard>
hi
this is a difference between searchstring
and query
you can use
<search>
<query> </query>
</search>
directly into the mark dashboard
or the mark form
and in the chart
,event
,list
,map
,single
,table
while searchstring
is used only in mark chart
,event
,list
,map
,single
,table
so if you use searchstring
directly into the mark dashboard
or the mark form
, it will not work
was used in previous versions
<searchString>-------</searchString>
used from version 6.2.x and both do the same job
<search>
<query> ----- </query>
</search>
Thanks,but "searchstring" is on longer use in 6.2.2? Maybe,not. I want to know the difference between them."query" is better than "searchstring" ? something else,please,tell me.
See here.
following this link:
http://www.splunk.com/view/SP-CAAANMA and go click on download course description.
Thanks for your help,I have found ways to circumvent this question. I wil keep learning the improvements about new version.Thank you,very much .
Hi
this is the difference between "AND" and "OR"
when we use :
AND make sure that all the condition is verified
OR make sure that at least one condition is verified
Hi dovelsh12223621
Please explain me well your question
If possible post me your xml code
If you used angular brackets around your XML items, you need to post those as code. Either click the button for that above the text box or leave one row blank before the code and indent by four spaces.