Solved: How do you reference a "root search" from a Data M...

rjthibod · ‎03-10-2015

I have been using Objects and Pivot with much success. In the process of trying to play with the "Root Search" concept, I cannot find documentation on how to actually use the root search. Specifically, how does one include a root search in a Simple XML dashboard? For this example, assume my data model's object ID is "my_dm" and the root search's object id "summary_ids".

Do I reference "summary_ids" in the search field? Do I specify "id='summary_ids'" in a "search" XML field?

Please point me to any documentation or examples that you know of.

MuS · ‎03-10-2015

Hi rjthibod,

You can use the pivot command instead http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Pivot
Just tested it and created a root search called foo in my datamodel called Tutorial which is basically just a * search and I get back some events from the Splunk Unix App and therefore a field called COMMAND. So I can use this to test the pivot command like this:

| pivot Tutorial foo values(COMMAND) AS COMMAND

works like a charm.....

cheers, MuS

View solution in original post

MuS · ‎03-10-2015

Hi rjthibod,

You can use the pivot command instead http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Pivot
Just tested it and created a root search called foo in my datamodel called Tutorial which is basically just a * search and I get back some events from the Splunk Unix App and therefore a field called COMMAND. So I can use this to test the pivot command like this:

| pivot Tutorial foo values(COMMAND) AS COMMAND

works like a charm.....

cheers, MuS

rjthibod · ‎03-10-2015

Thank you! That page is exactly what I was looking for.

MuS · ‎03-10-2015

okay, I'll update my answer so you can accept the correct answer 😉

How do you reference a "root search" from a Data Model?

Enterprise Security Content Update (ESCU) | New Releases

Index This | What gets bigger the more you remove?

Introducing the 2024 Splunk MVPs!