I tried to do the following in a dashboard:
First declare two base searches, the second one using the first one:
<search id="baseSearch1">
<query> [QUERY1] </query>
</search>
<search base="baseSearch1" id="baseSearch2">
<query> [QUERY2] </query>
</search>
<row>
<panel>
<single>
<search base="baseSearch2">
<query> [QUERY3]</query>
</search>
</single>
</panel>
</row>
Hoping to end up with a combined query result for [QUERY1] | [QUERY2] |[QUERY3]
. Unfortunately, this did not seem to work. (Splunk 6.3)
However, when click the magnifiyng glass below the dashboard element I'm sent to the search interface with the combined query and the results (!) Suggesting that I might be on the right track to somehow implement a nested base search.
I was wondering whether this was a known (solvable?) issue or perhaps a bug?
I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.,
<dashboard>
<label>nested query</label>
<row>
<panel>
<table>
<search id="baseSearch1">
<query>| makeresults count=2</query>
</search>
</table>
<table>
<search base="baseSearch1" id="baseSearch2">
<query>|streamstats count</query>
</search>
</table>
<single>
<search base="baseSearch2">
<query>| table count</query>
</search>
</single>
</panel>
</row>
</dashboard>
@sabysingh
nested query is OK. please ask another question.
What are you trying to accomplish, and why can't you just create the dashboard panel from a search using appendcols as mentioned by dflodstrom (in which case he should credit for that answer) or other search commands (like a simple "condition 1 OR condition 2 OR condition 3")?
To increase effiency: using the base search I retrieve several million events, I wouldn't like to repeat such a search several times.
Secondly to decrease code duplication.
I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.
I've had success with the appendcols command have a look at the info here on splunk docs
If there are “missing” fields on second query, try to add “| fields a, b, c ..” to the QUERY1.
R. Ismo