Dashboards & Visualizations

What's the difference between "searchstring" and "query" when defining a search in XML?

Path Finder

When I want to define a search in view (XML), I usually try the element "searchstring" OR "query". However, I don't really know the difference between them. Please give me some help, thanks.

1 Solution

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>

View solution in original post

Communicator

hi
A search string is the combination of characters and words that make up the search being conducted. while A query is a request for information from a database.

0 Karma

Motivator

which come after the query tag only affects research, while is not the case with the tag searchstring

 ......
   <search >
        <query>
          ....your_search
        </query>
        ...**what you put here only affects the research that is in the query tag.**
      </search

ex:

...
 <search id="baseSearch">
    <query>
      index=_internal source=*splunkd.log | stats count by component, log_level
    </query>
    <earliest>-30d</earliest>
    <latest>now</latest>              // this   only affects the research above. 
  </search>
0 Karma

Hi ,
I think that and are different in some points being given that the new version has improvements

  • Firstly, note that query is provided with search where you can pass an id and call it to another place in the same dashboard with base attribut.

  • Because query is a part of < searchString > ,You may consider that < SearchString > was divided into < / query > < / search >in the new version of splunk and this new have more advantages.

For example, in the new version of spunk, a dashboard can contain one or more global elements that drive the data displayed in the dashboard ! this is possible by providing an id to ; this is not posssible with searchString.

This is what explains my example: You can run it

<dashboard>
     <search id="base">
         <!-- The base query as you have it in the search tag of your visualization -->
         <query>index = _internal | stats count by sourcetype | head 5</query>
             <earliest>-8h@h</earliest>
             <latest>now</latest>
         </search>
     <row>
         <panel>
             <chart>
                 <search base="base">
                     <!-- Any postprocessing goes here, we don't have any so this is empty -->
                 </search>
                 <option name="charting.chart">bar</option>
                 <option name="charting.chart.nullValueMode">gaps</option>
                 <!-- ...And all the other stuff you want to do. -->
             </chart>
             <chart>
                 <search base="base">
                 </search>
                 <!-- You get the idea. -->
             </chart>
         </panel>
     </row>
 </dashboard>

View solution in original post

Motivator

hi
this is a difference between searchstring and query

you can use

<search>
           <query>   </query>
 </search>

directly into the mark dashboard or the mark form and in the chart,event,list,map,single,table

while searchstring
is used only in mark chart,event,list,map,single,table

so if you use searchstring
directly into the mark dashboard or the mark form, it will not work

0 Karma

Motivator

was used in previous versions

<searchString>-------</searchString>

used from version 6.2.x and both do the same job

<search>
       <query> ----- </query>
 </search>

Path Finder

Thanks,but "searchstring" is on longer use in 6.2.2? Maybe,not. I want to know the difference between them."query" is better than "searchstring" ? something else,please,tell me.

0 Karma

Champion

See here.

0 Karma

Motivator

following this link:
http://www.splunk.com/view/SP-CAAANMA and go click on download course description.

0 Karma

Path Finder

Thanks for your help,I have found ways to circumvent this question. I wil keep learning the improvements about new version.Thank you,very much .

0 Karma

Motivator

Hi
this is the difference between "AND" and "OR"
when we use :
AND make sure that all the condition is verified
OR make sure that at least one condition is verified

0 Karma

Motivator

Hi dovelsh12223621
Please explain me well your question
If possible post me your xml code

0 Karma

Champion

If you used angular brackets around your XML items, you need to post those as code. Either click the button for that above the text box or leave one row blank before the code and indent by four spaces.

0 Karma