- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to splunk and I am trying to create a dashboard with optimizing the independent queries and by using all the same base queries. Kindly let me know the difference between independent,master and base queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This page tells you about the types of searches you can have in dashboards.
https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/Savedsearches
but basically a base search is something that you can use as a building block for other searches, e.g.
<search id="this_is_a_base_search>
<query>
index=_internal
| stats count by user
</query>
</search>and then you can have other searches that build in that, e.g. you could have a single panel showing a count for two users that uses that base search, such as
<single>
<search base="this_is_a_base_search">
<query>
| where user="admin"
</query>
</search>
</single>and
<single>
<search base="this_is_a_base_search">
<query>
| where user="Dheeru"
</query>
</search>
</single>they would use the results from the first search.
You can also have multiple levels of base search, so a search can be also a base search but use another base search, e.g. from the above search, it could be...
<single>
<search id="i_am_a_new_base_search" base="this_is_a_base_search">
<query>
| where user="Dheeru"
</query>
</search>
</single>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This page tells you about the types of searches you can have in dashboards.
https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/Savedsearches
but basically a base search is something that you can use as a building block for other searches, e.g.
<search id="this_is_a_base_search>
<query>
index=_internal
| stats count by user
</query>
</search>and then you can have other searches that build in that, e.g. you could have a single panel showing a count for two users that uses that base search, such as
<single>
<search base="this_is_a_base_search">
<query>
| where user="admin"
</query>
</search>
</single>and
<single>
<search base="this_is_a_base_search">
<query>
| where user="Dheeru"
</query>
</search>
</single>they would use the results from the first search.
You can also have multiple levels of base search, so a search can be also a base search but use another base search, e.g. from the above search, it could be...
<single>
<search id="i_am_a_new_base_search" base="this_is_a_base_search">
<query>
| where user="Dheeru"
</query>
</search>
</single>
