You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says
"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."
Here's what you need to do in XML:
<dashboard>
<search id="base">
<!-- The base query as you have it in the search tag of your visualization -->
<query>index = foo</query>
<earliest>-8h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="base">
<!-- Any postprocessing goes here, we don't have any so this is empty -->
</search>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<!-- ...And all the other stuff you want to do. -->
</chart>
<chart>
<search base="base">
</search>
<!-- You get the idea. -->
</chart>
</panel>
</row>
</dashboard>
As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.
You don't need to use saved searches. Right at the beginning of the Simple XML reference, it says
"A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard."
Here's what you need to do in XML:
<dashboard>
<search id="base">
<!-- The base query as you have it in the search tag of your visualization -->
<query>index = foo</query>
<earliest>-8h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="base">
<!-- Any postprocessing goes here, we don't have any so this is empty -->
</search>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<!-- ...And all the other stuff you want to do. -->
</chart>
<chart>
<search base="base">
</search>
<!-- You get the idea. -->
</chart>
</panel>
</row>
</dashboard>
As you see, there's your one-time base search which we reference in our visualization (chart). This is basically the explicit version of what stephane_cyrille proposed, plus a bit simplified.
Thanks for you answer!
Ok edrivera3,this is an other way to solve the problem.
1-DO AN INLINE SEARCH GLOBALLY WITHOUT TOKEN (base search).From this can derive many postprocess searches(many panels).
2- DO THE POSTPROCESS AN FILTER THE RESULT OF THAT BASE SEARCH(it can be a savedsearch)
3-the postprocess search is pipe at the end like this for exemple:
..........|search $host$
see this
docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/PostProcess
Hi to use savedsearch with you token,try in the searchString tag,do this:
|savedsearch report_name ....... l..........|..
you can put you token any where like in a normal query.
It may be necessary to put the token in quote like this for exemple: status="$status$"
NOTE: IF YOU ARE USING splunk 6.2.... MAKE SURE YOU ENCLOSE THE QUERY BY
query..../query
instead of
searchString.......searchString
Yes of course! You can call your saved search in each panel.
Here is an example on how you can call your saved search. just do the same thing on each panel.
<dashboard>
<label>Inline Search</label>
<description>Table, Chart and Event panels powered by inline searches.</description>
<row>
<panel>
<table>
<title>Report Table</title>
<search ref="reporting_search_table"/>
<option name="count">5</option>
</table>
<chart>
<title>Report Chart</title>
<search ref="reporting_search_timechart"/>
<option name="charting.chart">area</option>
</chart>
</panel>
</row>
<row>
<panel>
<event>
<title>Report Event</title>
<search ref="nonreporting_search"/>
<option name="count">5</option>
</event>
</panel>
</row>
</dashboard>
Are you referring to report when you say saved search? If so I haven't found a way to use report while keeping my tokens for text input.
ok. So you are using a selection menu! There is a way to do it. Insert Tokens in your search query before save it as a Report. It will work.
No. That doesn't work. If I insert the token before save it no result will show in the dashboard. This my search query and it would not produce results either in search app or dashboard because there is no error_number = $ error_number$.
index="job_event" error_number=$ error_number$ | stats values(test_number) as test_number by airplane_number
The only way I could make this work is by doing an inline search in the dashboard.
I tried adding quotation marks before the dollar signs in the token or adding an extra dollar sign but nothing works.