I want to create a Dashboard containing several widgets that mainly, are views of the same set of information regarding activity of users in a system. The widgets will show the information about activity but splitted by different fields, summarized by different criteria or just grouped in many ways.
Basically I want to reuse the same initial search and let every widget add specific constraints to the search or add stats, chart or formatting commands.
Is that possible?
*I'm using Splunk 6.1
Thank you, that was what I was looking for!
Another quick question, Is it possible to set a saved search as the template search for a dashboard? As saved searches could be accelerated, it could increase overall performance if the dashboard if its base search is already tuned. Is there a way to make this possible?
Thanks for your help
I don't think so, considering the
<searchTemplate> is meant to be used for
$foo$ token substitution.
However, you can make search acceleration work without a maintenance nightmare by using macros. Place the search in a macro, and use that in both a saved accelerated search and the dashboard(s).