Hi,
I just wonder whether someone may be able to help me please.
I'm trying to put together a Post Process - Base Search with similar format to that below:
<search id="baseSearch">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<search base="baseSearch">
<query> index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-1d</earliest>
<latest>now</latest>
</search>
Could someone tell me please, does the date period in the 'Base' search carry forward to the 'Post Process' search, or can they be different as shown in my example above.
Many thanks and kind regards
Chris
Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.
Your searches should look like this.
<search id="baseSearch">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<search base="baseSearch">
<query> where component="foo"</query>
</search>
<search base="baseSearch">
<query> where component="bar"</query>
</search>
Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.
Your searches should look like this.
<search id="baseSearch">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<search base="baseSearch">
<query> where component="foo"</query>
</search>
<search base="baseSearch">
<query> where component="bar"</query>
</search>
Hi @bmacias84, many thanks for the confirmation.
Kind Regards
Chris
Is there a way we can override the time range mentioned in base search, in the Post Processing Search. I need this as I need 2 different charts for the same query, but with different time ranges. Please help.
@krsrbh I dont think you understand how post process search works. Post process search can only contain data from the base search. If you need separate time spans you will need to add a subsearch to your base search. In post process search you will need a filter statement to omit data from post process search or another.