Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difference between base query, master query and independent query

Dheeru
Engager
‎04-19-2021 12:31 PM

Hi,

I am new to splunk and I am trying to create a dashboard with optimizing the independent queries and by using all the same base queries. Kindly let me know the difference between independent,master and base queries.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2021 04:23 PM

This page tells you about the types of searches you can have in dashboards.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/Savedsearches

but basically a base search is something that you can use as a building block for other searches, e.g.

<search id="this_is_a_base_search>
  <query>
index=_internal
| stats count by user
  </query>
</search>

and then you can have other searches that build in that, e.g. you could have a single panel showing a count for two users that uses that base search, such as

<single>
  <search base="this_is_a_base_search">
    <query>
| where user="admin"
    </query>
  </search>
</single>

and

<single>
  <search base="this_is_a_base_search">
    <query>
| where user="Dheeru"
    </query>
  </search>
</single>

 they would use the results from the first search.

You can also have multiple levels of base search, so a search can be also a base search but use another base search, e.g. from the above search, it could be...

<single>
  <search id="i_am_a_new_base_search" base="this_is_a_base_search">
    <query>
| where user="Dheeru"
    </query>
  </search>
</single>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2021 04:23 PM

This page tells you about the types of searches you can have in dashboards.

https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/Savedsearches

but basically a base search is something that you can use as a building block for other searches, e.g.

<search id="this_is_a_base_search>
  <query>
index=_internal
| stats count by user
  </query>
</search>

and then you can have other searches that build in that, e.g. you could have a single panel showing a count for two users that uses that base search, such as

<single>
  <search base="this_is_a_base_search">
    <query>
| where user="admin"
    </query>
  </search>
</single>

and

<single>
  <search base="this_is_a_base_search">
    <query>
| where user="Dheeru"
    </query>
  </search>
</single>

 they would use the results from the first search.

You can also have multiple levels of base search, so a search can be also a base search but use another base search, e.g. from the above search, it could be...

<single>
  <search id="i_am_a_new_base_search" base="this_is_a_base_search">
    <query>
| where user="Dheeru"
    </query>
  </search>
</single>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...