The index query runs from base query, and i want to append saved search to base query.
The saved search is just a filtration query. Since i have many panels from the same index, i tried to use it.
Please give suggestions if there are any available and don't give suggestions to use directly in panel. if I have this in saved-search, I'll use in other dashboards also.
index="******" host="****" source="Perfmon" counter="Available MBytes" sourcetype="Available_Memory" | savedsearch Prem_test
It throws below error :
Error in 'SearchParser': The savedsearch command can only be used as the first command on a search savedsearch query "| eval Value=round(Value/1024,1) | timechart span=1h eval(round(avg(Value),2)) As "Available""
You need to create macro for filtration instead of creating saved search.
1.) Create macro with query
eval Value=round(Value/1024,1) | timechart span=1h eval(round(avg(Value),2)) As "Available", lets say macro name is
2.) Now modify your search query
index="" host="" source="Perfmon" counter="Available MBytes" sourcetype="AvailableMemory" | `filterationquery`
@harsmarvania57 ... it works in search but if i add in panels results are not displaying. pls help
For me it is working in Dashboard Panel, what problem are you facing ? Any error ?
@harsmarvania57 the available column is displaying empty results. but in search its shows value
Please provide your Dashboard XML Code because for me it is working fine in my lab.
@harsmarvania57 this is xml and index is running in base query.. _time is displaying panel but another column which has data is not displaying
<panel> <table> <title>Data Server : Average Available Memory (In GB) gt</title> <search base="base_Prof"> <query>`test_prem`</query> </search> <option name="drilldown">none</option> <option name="link.exportResults.visible">0</option> <option name="link.inspectSearch.visible">0</option> <option name="link.openPivot.visible">0</option> <option name="link.openSearch.visible">1</option> <option name="refresh.display">progressbar</option> <option name="refresh.link.visible">0</option> </table> </panel>
Based on document ,
A base search should be a transforming search that returns results formatted as a statistics table. Here I am assuming that your base search is
index="*" host="*" source="Perfmon*" counter="Available MBytes" sourcetype="Available_Memory" which is not correct because you are not doing any statistic here.
@harsmarvania57 so how can i achieve this search?
can u pls share the xml how its worked for you.
What you would like to achieve ? Because I used query (which I have provided in answer) directly in dashboard.